Enterprise knowledge backup platform Commvault has revealed that an unknown nation-state menace actor breached its Microsoft Azure atmosphere by exploiting CVE-2025-3928 however emphasised there is no such thing as a proof of unauthorized knowledge entry.
“This exercise has affected a small variety of prospects now we have in frequent with Microsoft, and we’re working with these prospects to offer help,” the corporate stated in an replace.
“Importantly, there was no unauthorized entry to buyer backup knowledge that Commvault shops and protects, and no materials affect on our enterprise operations or our means to ship services and products.”
In an advisory issued on March 7, 2025, Commvault stated it was notified by Microsoft on February 20 about unauthorized exercise inside its Azure atmosphere and that the menace actor exploited CVE-2025-3928 as a zero-day. It additionally stated it rotated affected credentials and enhanced safety measures.
The disclosure comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-3928 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use the required patches for Commvault Internet Server by Might 19, 2025.
To mitigate the danger posed by such assaults, prospects are suggested to use a Conditional Entry coverage to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations, and rotate and sync shopper secrets and techniques between Azure portal and Commvault each 90 days.
The corporate can be urging customers to watch sign-in exercise to detect any entry makes an attempt originating from IP addresses exterior of the allowlisted ranges. The next IP addresses have been related to malicious exercise –
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53, and
- 159.242.42.20
“These IP addresses must be explicitly blocked inside your Conditional Entry insurance policies and monitored in your Azure sign-in logs,” Commvault stated. “If any entry makes an attempt from these IPs are detected, please report the incident instantly to Commvault Help for additional evaluation and motion.”
