Enterprise knowledge backup platform Commvault has revealed that an unknown nation-state menace actor breached its Microsoft Azure surroundings by exploiting CVE-2025-3928 however emphasised there is no such thing as a proof of unauthorized knowledge entry.
“This exercise has affected a small variety of prospects we have now in frequent with Microsoft, and we’re working with these prospects to offer help,” the corporate mentioned in an replace.
“Importantly, there was no unauthorized entry to buyer backup knowledge that Commvault shops and protects, and no materials impression on our enterprise operations or our capability to ship services and products.”
In an advisory issued on March 7, 2025, Commvault mentioned it was notified by Microsoft on February 20 about unauthorized exercise inside its Azure surroundings and that the menace actor exploited CVE-2025-3928 as a zero-day. It additionally mentioned it rotated affected credentials and enhanced safety measures.
The disclosure comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-3928 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use the mandatory patches for Commvault Internet Server by Could 19, 2025.
To mitigate the chance posed by such assaults, prospects are suggested to use a Conditional Entry coverage to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations, and rotate and sync consumer secrets and techniques between Azure portal and Commvault each 90 days.
The corporate can be urging customers to watch sign-in exercise to detect any entry makes an attempt originating from IP addresses exterior of the allowlisted ranges. The next IP addresses have been related to malicious exercise –
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53, and
- 159.242.42.20
“These IP addresses must be explicitly blocked inside your Conditional Entry insurance policies and monitored in your Azure sign-in logs,” Commvault mentioned. “If any entry makes an attempt from these IPs are detected, please report the incident instantly to Commvault Assist for additional evaluation and motion.”
