Cyber Defense Advisors

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Zero-Day in Azure Breach

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access.

“This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” the company said in an update.

“Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.”

In an advisory issued on March 7, 2025, Commvault said it was notified by Microsoft on February 20 about unauthorized activity within its Azure environment and that the threat actor exploited CVE-2025-3928 as a zero-day. It also said it rotated affected credentials and enhanced security measures.

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches for Commvault Web Server by May 19, 2025.

Cybersecurity

To mitigate the risk posed by such attacks, customers are advised to apply a Conditional Access policy to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations, and rotate and sync client secrets between Azure portal and Commvault every 90 days.

The company is also urging users to monitor sign-in activity to detect any access attempts originating from IP addresses outside of the allowlisted ranges. The following IP addresses have been associated with malicious activity –

  • 108.69.148.100
  • 128.92.80.210
  • 184.153.42.129
  • 108.6.189.53, and
  • 159.242.42.20

“These IP addresses should be explicitly blocked within your Conditional Access policies and monitored in your Azure sign-in logs,” Commvault said. “If any access attempts from these IPs are detected, please report the incident immediately to Commvault Support for further analysis and action.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 

Related Post

US as a Surveillance State

Two essays were just published on DOGE’s data collection and aggregation, and how it ends with a modern surveillance state.

Cyber News

Fake Security Plugin on WordPress Enables Remote Admin

Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.

Cyber News

Why top SOC teams are shifting to Network

Security Operations Center (SOC) teams are facing a fundamentally new challenge — traditional cybersecurity tools are failing to detect advanced

Cyber News

Claude AI Exploited to Operate 100+ Fake Political

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an “influence-as-a-service” operation to

Cyber News

Leave feedback about this

  • Quality
  • Price
  • Service
Choose Image