 [Jonathan Greig](/author/jonathan-greig)May 23rd, 2025 Commvault clients should beware of campaign targeting cloud applications, CISA says===================================================================================Federal cyber defenders are warning that hackers are targeting the cloud environments of clients of data management giant Commvault.The New Jersey-based company previously said it was notified by Microsoft in February of a data breach caused by an unnamed nation-state threat actor that allowed access to ‘a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.’On Thursday evening, the Cybersecurity and Infrastructure Security Agency (CISA) [warned](https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic) that Commvault is now ‘monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment.”CISA believes the threat activity may be part of a larger campaign targeting various SaaS -[software-as-a-service-] companies’ cloud applications with default configurations and elevated permissions,’ the agency said.CISA said that the threat actors likely ‘accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure.’ In this context, a secret refers to a unique code used to connect applications to servers.In [multiple](https://www.commvault.com/blogs/notice-security-advisory-update) [blogs](https://www.commvault.com/blogs/customer-security-update) throughout March, April and May, Commvault explained that the breach ‘affected a small number of customers’ that the company has in common with Microsoft.Commvault reiterated that the hackers never accessed customer backup data that the company stores and protects, and that it was working with CISA and the FBI on the issue. The company said it rotated credentials for impacted customers and took several other actions to deal with the incident.In its notice on Thursday, CISA provided its own list of actions Commvault customers should take to protect themselves, including monitoring logs, rotating credentials and more.CISA noted in its advisory that it recently added a Commvault vulnerability — CVE-2025-3928 — to its catalog of exploited bugs and is ‘continuing to investigate the malicious activity in collaboration with partner organizations.’Commvault previously [said](https://www.commvault.com/blogs/security-advisory-march-7-2025) that its forensic investigation discovered that the threat actor ‘exploited a zero-day vulnerability’ and included a link to an [advisory](https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html?_gl=1*160dj6*_gcl_au*MTQ3ODY5ODIzNi4xNzQ4MDEzMzU1*_ga*MjA0ODcwNDY4Ny4xNzQ4MDEzMzU1*_ga_M2TFPKFW4N*czE3NDgwMTU1MTckbzIkZzEkdDE3NDgwMTc1NzckajAkbDAkaDA.) on CVE-2025-3928.When asked why the advisory was released on Thursday, CISA declined to provide more information. A Commvault spokesperson said there ‘are no new developments in this CISA alert since the advisory we posted on [May 4](https://www.commvault.com/blogs/customer-security-update).’CISA is ‘merely reporting on activity we published and alerted them to from then,’ they told Recorded Future News.Microsoft did not respond to requests for comment about which country was behind the attacks, what companies are being targeted and what data may be at risk.James Maude, field CTO at BeyondTrust, which has investigated [similar breaches in the past](https://therecord.media/hackers-used-stolen-credentials-okta), noted that incidents like this highlight the risk involved with allowing third parties privileged access into your environment.’Their breach becomes your breach,’ he said. * [](https://twitter.com/intent/tweet?text=Commvault clients should beware of campaign targeting cloud applications, CISA says%20%20@TheRecord_Media)* [](https://www.linkedin.com/shareArticle?mini=true&url=&title=Commvault clients should beware of campaign targeting cloud applications, CISA says)* [](https://www.facebook.com/sharer/sharer.php?u=&src=sdkpreparse)* [](https://www.reddit.com/submit?url=)* [](https://news.ycombinator.com/submitlink?u=&t=Commvault clients should beware of campaign targeting cloud applications, CISA says)* [](https://bsky.app/intent/compose?text=Commvault clients should beware of campaign targeting cloud applications, CISA says ) * [Industry](/)* [News](/)* [Nation-state](/news/nation-state)* [Technology](/news/technology) Get more insights with the Recorded Future Intelligence Cloud.[Learn more.](https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record) [](https://www.recordedfuture.com/?utm_source=therecord&utm_medium=ad) [](https://www.recordedfuture.com/?utm_source=therecord&utm_medium=ad) Tags* [cloud](/tag/cloud)* [Apps](/tag/apps)* [CISA](/tag/cisa)* [threat alert](/tag/threat-alert)* [Microsoft 365](/tag/microsoft-365)* [Commvault](/tag/commvault) No previous article No new articles  [Jonathan Greig](/author/jonathan-greig) is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. [](https://twitter.com/jgreigj)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 516 – Broadcasting And Content Providers
NAICS: 51 – Information
Credentials from Password Stores: Cloud Secrets Management Stores
Blog: The Record
Credentials from Password Stores
Exploitation for Client Execution
Associated Indicators: