By leveraging CVE-2025-3928, the enterprise data backup platform Commvault revealed that an unknown nation-state threat actor violated the Microsoft Azure environment, but emphasized that there was no evidence of unauthorized data access.
“This activity has impacted a small number of customers that we share with Microsoft, and we work with these customers to provide support,” the company said in the update.
“The important thing is that there is no unauthorized access to customer backup data that protects and protects Commvault, and does not have a significant impact on our business operations and our ability to provide products and services.”
In a recommendation issued on March 7, 2025, Commvault said that on February 20, Microsoft was notified of unauthorized activity within an Azure environment, and that threat actors used CVE-2025-3928 as a zero day. He also said it had rotated the affected credentials to enhance security measures.
This disclosure requires that the US Cybersecurity and Infrastructure Security Agency (CISA) add CVE-2025-3928 to its known Exploitation Vulnerabilities (KEV) catalog and apply the necessary patches to the Commvault web server by May 19, 2025, as it requires a Federal Private Enforcement Division (FCEB) agency.
To mitigate the risk posed by such attacks, customers are advised to apply conditional access policies to all Microsoft 365, Dynamics 365, Azure AD single tenant app registrations, and rotate and sync client secrets every 90 days between the Azure portal and Commvault.
The company also encourages users to monitor sign-in activity and detect attempts to access from IP addresses other than Alloplisted Range. The following IP addresses are associated with malicious activity –
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53, and
- 159.242.42.20
“These IP addresses are explicitly blocked within conditional access policies and must be monitored by Azure sign-in logs,” Commvault said. “If any attempts to access from these IPS are detected, please report the incident immediately to Commvault Support for further analysis and action.”
