Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent updated advisory highlighting cyber threat activity targeting Commvault’s Metallic Software-as-a-Service (SaaS) platform, which is widely used to back up Microsoft 365 environments.

As of May 2025, threat actors reportedly leverage stolen credentials to gain unauthorized access to service principals, prompting serious concerns about cloud supply chain security and elevated privilege abuse across enterprise networks.

What Is Commvault Metallic and Why Does It Matter

Commvault’s Metallic is a cloud-based backup and recovery service hosted on Microsoft Azure. It allows enterprises to back up Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 data. Because it connects directly to the enterprise Microsoft Entra ID (formerly Azure AD), any compromise in its configuration or credentials can have devastating downstream effects.

In this case, attackers may have accessed stored client secrets used by Metallic to authenticate with Microsoft 365 environments. These secrets can act like keys to an organization’s entire cloud infrastructure.

Timeline of Activity

CISA’s May 22 advisory is an update to a broader investigation into threat actors exploiting default configurations and poorly secured service accounts across multiple cloud platforms. The advisory links the Commvault incident to a growing number of similar supply chain attacks, wherein attackers:

• Exploit misconfigured cloud applications
• Abuse of elevated privileges
• Move laterally across SaaS and identity infrastructures

The precise number of affected organizations remains unknown, but the shared nature of SaaS platforms suggests the potential for widespread impact.

Key Threat Indicators and Attack Surface

According to the advisory, attackers exploited vulnerabilities in storing or managing credentials within the Metallic SaaS platform. They then used these secrets to authenticate against customers’ Microsoft Entra ID environments.

Affected organizations may observe the following behaviors:

• Unexpected sign-ins using Commvault service principals
• Unauthorized modifications to service principal credentials
• Elevated permissions granted to applications without administrator review
• Lateral movement into broader M365 environments

This pattern suggests a well-orchestrated campaign focused on supply chain exploitation through trusted cloud vendors.

Recommended Immediate Actions

CISA has outlined a comprehensive set of mitigation steps. Based on Cyble’s threat intelligence and best practices, we strongly encourage organizations to implement the following controls:

1. Audit Service Principal Activity

Review Microsoft Entra audit logs for unusual activity involving Commvault-managed identities. Key events to monitor include:

• Credential updates
• Sign-ins from suspicious IP ranges
• Creation of new credentials
• Consent grants involving high-privilege scopes

2. Enforce Conditional Access

For single-tenant applications, restrict authentication to only IP addresses within Commvault’s known allowlisted ranges. This reduces the chance of stolen credentials being used from foreign infrastructure.

3. Rotate Application Secrets Immediately

If your organization used Commvault’s Metallic solution before May 2025, assume compromise and rotate credentials. From then on, set policies to auto-rotate secrets every 30 days.

4. Review OAuth and Graph API Permissions

Applications often request elevated Graph API scopes, such as Mail.ReadWrite or Files.Read.All. Audit existing app consents and remove those not essential for operations. Ensure admin consent was granted correctly.

5. Implement Secure Cloud Baselines

Follow CISA’s Secure Cloud Business Applications (SCuBA) guidance. These baselines help limit excessive privileges, enforce MFA, and reduce lateral movement paths.

6. Enable Unified Audit Logging

If not already enabled, turn on Microsoft 365’s unified audit logging to track Exchange, SharePoint, Teams, and Entra activities in a single dashboard. This is critical for long-term forensics.

On-Premise Commvault Customers Are Also at Risk

Although the focus remains on the Metallic SaaS platform, customers using on-premises Commvault installations are also advised to harden their configurations.

Recommendations include:

• Restricting UI access to trusted internal IPs
• Deploying a Web Application Firewall (WAF) to block path traversal or malicious uploads
• Monitoring for unusual activity originating from installation directories
• Removing any public-facing management portals
• Applying all available patches from Commvault promptly

CVE-2025-3928: A Known Exploited Weakness

CISA has added CVE-2025-3928—a vulnerability related to credential storage—to its Known Exploited Vulnerabilities (KEV) catalog. This move requires all federal civilian executive branch agencies to remediate the issue by a specified deadline.

Enterprises in regulated sectors such as healthcare, financial services, and energy should treat this as a high-severity incident and act accordingly.

Why This Attack Matters to the Broader Ecosystem

The Commvault advisory is part of a broader pattern of attacks exploiting the trust boundaries between SaaS providers and identity infrastructures. As organizations increasingly adopt SaaS platforms, their attack surface now includes:

• Third-party cloud vendors with default configurations
• Overprivileged service principals
• Long-lived credentials with no rotation policies
• OAuth tokens and consent mechanisms

Once attackers gain access to a service principal, they can impersonate the application to access customer data, create new users, or exfiltrate sensitive information—all while hiding in legitimate activity logs.

This highlights the critical need to treat SaaS security as an extension of your zero-trust strategy.

Incident Response and Reporting

If your organization suspects compromise:

1. Disconnect suspicious service principals immediately
2. Reset associated credentials
3. Notify internal response teams
4. Report incidents to National CERTs

Enterprises are also encouraged to engage with trusted threat intelligence vendors to conduct a broader compromise assessment.

Final Thoughts

The exploitation of Commvault’s Metallic SaaS platform underlines a dangerous evolution in attacker tactics. Instead of brute-forcing user accounts or exploiting endpoints, threat actors are now targeting trusted service relationships between SaaS platforms and cloud identity providers.

Organizations that do not have full visibility into these service relationships—and do not regularly audit and rotate application secrets—may be blind to these threats. As supply chain attacks continue to evolve, so must our defenses.

References:

https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.