Company Announcement

Notice: Security Advisory (Update)

This post is part of our ongoing commitment to protect customers and share threat intelligence with the cybersecurity community.
By Danielle Sheer, Chief Trust Officer |

What Happened

On February 20, 2025, Microsoft began notifying us regarding unauthorized activity by a nation-state threat actor based on their visibility within Azure environments. Commvault immediately launched an investigation with the assistance of leading cybersecurity experts and published a security advisory.  

We are working with appropriate authorities and known targeted customers as information becomes available to us. In April, Microsoft provided new threat intelligence and we published an update to the security advisory. 

What’s New

Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments. Our investigation to date indicates this threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments. In response, Commvault has taken several remedial actions detailed below, including rotating credentials. Commvault continues to update indicators of compromise (IOCs) to enable customer investigations within their M365 environments.  

Our investigation reveals there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.

What We’re Doing to Protect Customers:

  • Rotating app credentials for M365 managed by Commvault and enhancing security monitoring. 
  • Updating security advisories, best practices, and IOCs. 
  • Providing optional configurations aligned with Microsoft’s latest security recommendations.
  • Furthering responsible vulnerability disclosure and patching, specifically for CVE-2025-3928 which is the known CVE to date related to this security advisory.  
  • Continuing our investigation as we receive threat intelligence.  

Recommended Actions for Customers:   

  • For Saas customers who have deployed custom applications
    • Rotate app credentials for M365 used by Commvault as soon as possible.
    • Revalidate registration for proper scoping and permissions. 
    • Apply conditional access policies on any single tenant app in use. 
  • Enforce least-privilege access with tightly scoped permissions. 
  • Stay up to date with Microsoft threat bulletins and Commvault updates
  • Review EntraID audit logs using the IOCs.  

Customers with questions can contact us at SecurityAdvisory@commvault.com

More related posts
Defining Continuous Business with Sanjay Mirchandani
Continuous Vision

Defining Continuous Business with Sanjay Mirchandani

Oct 2, 2024
View Defining Continuous Business with Sanjay Mirchandani
Securing Healthcare: Overcoming Cyber Threats and Limited Resources. 
Healthcare

Securing Healthcare: Overcoming Cyber Threats and Limited Resources. 

Sep 23, 2024
View Securing Healthcare: Overcoming Cyber Threats and Limited Resources. 
Commvault Cloud for Government Is Now FedRAMP High Authorized
Company Announcement

Commvault Cloud for Government Is Now FedRAMP High Authorized

Jun 5, 2024
View Commvault Cloud for Government Is Now FedRAMP High Authorized