Commvault Zero-Day CVE-2025-3928 Exploited in SaaS Campaign Targeting Microsoft 365 Backups
🚨 Commvault Zero-Day CVE-2025-3928 Exploited in SaaS Campaign Targeting Microsoft 365 Backups
A critical zero-day vulnerability in Commvault’s web server software, identified as CVE-2025-3928, has been actively exploited by a suspected nation-state threat actor. This exploitation has led to unauthorized access within Commvault’s Azure-hosted Microsoft 365 (M365) backup environments, impacting a subset of customers and raising significant concerns across the SaaS ecosystem.
🔍 What Happened?
On February 20, 2025, Microsoft alerted Commvault to unauthorized activity within its Azure environment. Subsequent investigations revealed that attackers had exploited CVE-2025-3928, a previously unknown vulnerability in Commvault’s web server, to deploy web shells, enabling remote code execution and unauthorized access to sensitive credentials. These credentials included application secrets used by Commvault customers to authenticate their M365 environments.
Commvault promptly initiated its incident response protocols, rotating affected credentials, patching the vulnerability, and collaborating with cybersecurity experts and law enforcement agencies. The company emphasized that there is no evidence of unauthorized access to customer backup data and that its core business operations remained unaffected.
🛠️ Affected Versions and Patch Information – CVE-2025-3928
CVE-2025-3928 is a critical vulnerability in Commvault’s web server component, assigned a CVSS score of 8.7. This vulnerability allows authenticated attackers to deploy and execute web shells, potentially compromising the system. Exploitation requires the attacker to have valid credentials and network access to the Commvault environment.
| Affected Versions | Resolved Versions |
| Commvault v11.36.0 – v11.36.45 | v11.36.46 |
| Commvault v11.32.0 – v11.32.88 | v11.32.89 |
| Commvault v11.28.0 – v11.28.140 | v11.28.141 |
| Commvault v11.20.0 – v11.20.216 | v11.20.217 |
Commvault has addressed this vulnerability in the versions listed above. Customers are strongly advised to upgrade to the corresponding resolved version for their deployment. For detailed instructions on applying these updates, refer to Commvault’s official advisory: CV_2025_03_1: Critical Webserver Vulnerability HIGH.
🛡️ Indicators of Compromise (IOCs) – CVE-2025-3928
- IP Addresses:
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53
- 159.242.42.20
- Web Shell Artifacts: Presence of unauthorized scripts or files in web server directories
- Audit Log Anomalies: Unusual authentication attempts or credential changes from Commvault-related service principals
Official Advisory: Commvault CVE-2025-3928 Security Advisory
📊 SIEM Queries for Detection
Azure AD (Entra ID) Audit Logs
AuditLogs
| where ActivityDisplayName == "Add service principal credentials"
| where InitiatedBy.app.displayName == "Commvault"
| where IPAddress in ("108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20")
Microsoft 365 Unified Audit Logs
OfficeActivity
| where Operation == "Add service principal credentials"
| where AppId == "<Commvault App ID>"
| where ClientIP in ("108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20")
Splunk Query
index=azure OR index=o365
( "Add service principal credentials" AND app="Commvault" )
OR src_ip IN ("108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20")Microsoft Sentinel (KQL)
AuditLogs
| where ActivityDisplayName == "Add service principal credentials"
| where InitiatedBy.app.displayName == "Commvault"
| where IPAddress in ("108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20")and for unified M365 Audit Logs:
OfficeActivity
| where Operation == "Add service principal credentials"
| where AppId == "<Commvault App ID>"
| where ClientIP in ("108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20")Elastic (KQL)
event.category: "authentication" AND
event.action: "add_credentials" AND
user.name: "Commvault" AND
source.ip: ("108.69.148.100" OR "128.92.80.210" OR "184.153.42.129" OR "108.6.189.53" OR "159.242.42.20")Wazuh
data.win.system.provider_name: "Microsoft-AzureAD" AND
data.win.event_data.ActivityDisplayName: "Add service principal credentials" AND
data.win.event_data.InitiatedByApp: "Commvault"or more generically in the alerts.json format:
rule.description: "Azure AD Audit Log" AND
data.source.ip: "108.69.148.100" OR
data.source.ip: "128.92.80.210" OR
data.source.ip: "184.153.42.129" OR
data.source.ip: "108.6.189.53" OR
data.source.ip: "159.242.42.20"🔐 Recommended Actions
- Apply Patches Immediately: Ensure systems are updated to patch CVE-2025-3928.
- Monitor for Unauthorized Access: Check Entra ID and M365 audit logs for credential changes tied to Commvault apps.
- Implement Conditional Access Policies: Restrict app-based authentication to Commvault’s allowlisted IPs.
- Rotate and Sync Client Secrets: Regularly rotate app secrets and maintain sync between Commvault and Azure Portal.
- Block Known Malicious IPs: Explicitly block the IPs listed above in your firewall or endpoint protection tools.
🧠 Final Thoughts
The exploitation of CVE-2025-3928 underscores the evolving cyber threat landscape and the critical importance of proactive security practices. Organizations must remain vigilant with patching, monitoring, and access control to defend against increasingly sophisticated attacks on cloud services.
For more details, consult Commvault’s official advisory and CISA’s alert on the incident.
If you would like assistance with reviewing your cybersecurity posture, compliance, or with proactive 24/7/365 cybersecurity monitoring, please CONTACT US today to learn more about our services.