Commvault Confirms 0-Day Exploit Allowed Hackers Access to Its Azure Environment

Commvault, a leading provider of data protection solutions, has confirmed that a nation-state threat actor breached its Azure environment in February by exploiting a zero-day vulnerability.

The company disclosed that while the incident affected a small number of customers, no backup data was compromised during the attack.

According to Commvault, the breach was first detected when Microsoft notified the company of suspicious activity within its Azure environment on February 20, 2025.

“We immediately activated our incident response plan with the assistance of leading cybersecurity firms and law enforcement,” said Danielle Sheer, Commvault’s Chief Trust Officer, in a Wednesday update.

The investigation revealed that the attackers exploited a previously unknown vulnerability, now identified as CVE-2025-3928, in the Commvault Web Server software.

0-Day Vulnerability Exploited

This security flaw allowed remote authenticated attackers with low privileges to plant webshells on target servers. The vulnerability has since been patched in multiple software versions.

“Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services,” Sheer emphasized.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog on Monday, April 28, requiring federal agencies to secure their Commvault software by May 19, 2025.

The agency warned that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise”.

Security researchers have rated the vulnerability with a CVSS base score of 8.8, reflecting its significant potential impact.

Exploiting this vulnerability requires attackers to have authenticated user credentials within the Commvault software environment, meaning the target system must be accessible via the internet, compromised through another avenue, and accessed using legitimate credentials.

In response to the breach, Commvault has patched the vulnerability and implemented several security measures. The company rotated affected credentials and is working closely with two leading cybersecurity firms, the FBI, and CISA.

Commvault has also published guidance for customers to protect their systems, including applying Conditional Access policies to Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations.

Additionally, the company recommends customers rotate and sync client secrets between the Azure portal and Commvault every 90 days, and regularly monitor sign-in activity for access attempts from unauthorized IP addresses.

Commvault has identified several IP addresses associated with known malicious activity that should be explicitly blocked: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.

“No company is immune to an attack. We believe that sharing information and working together makes us all more resilient,” Commvault stated in its advisory.

This incident highlights the growing sophistication of nation-state cyber threats targeting critical infrastructure and data protection systems.

Organizations using Commvault’s products are strongly encouraged to apply the latest security patches and implement the recommended security measures to protect their environments from similar attacks.

Get your 14-day ANY.RUN trial today and protect what matters most. 

The post Commvault Confirms 0-Day Exploit Allowed Hackers Access to Its Azure Environment appeared first on Cyber Security News.