Advisory Analysis: Commvault Metallic M365 Client Secret Compromise via CVE-2025-3928

1. Executive Summary: The Commvault (Metallic) M365 Breach & CVE-2025-3928

A significant security incident has emerged involving Commvault’s Metallic Microsoft 365 (M365) backup Software-as-a-Service (SaaS) solution. Evidence suggests that a nation-state threat actor ¹ potentially gained unauthorized access to client secrets used by this service. This access appears to have been facilitated by the exploitation of CVE-2025-3928, a critical vulnerability within the Commvault Web Server.¹ This vulnerability permits remote, authenticated attackers to upload and execute webshells, effectively granting them control over the compromised web server.³ The primary and most alarming risk stemming from this incident is the potential for unauthorized access to customers’ live Microsoft 365 environments ¹, rather than a direct compromise of the backup data, which Commvault has stated remained secure.¹ This incident demands immediate attention due to confirmed active exploitation of CVE-2025-3928 and its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.³

Core Recommendations:

• Prioritize Patching: Immediately apply the patches released by Commvault to remediate CVE-2025-3928 on all affected Commvault Web Server instances.
• Rotate M365 Client Secrets: All Microsoft 365 application client secrets utilized by Commvault Metallic, particularly those active during the suspected compromise window, must be rotated without delay.
• Implement Conditional Access: Enforce stringent Conditional Access policies within Microsoft Entra ID, specifically targeting the service principals associated with Commvault Metallic, to restrict authentication pathways.
• Enhance M365 Monitoring: Augment logging capabilities within Microsoft 365 environments and conduct thorough threat hunting activities, focusing on anomalous behavior related to the Commvault Metallic application or its associated service principal.

A critical distinction must be understood and communicated to all stakeholders: the difference between the security of “backup data” and the implications of “M365 environment access.” While Commvault has asserted that “there has been no unauthorized access to customer backup data that Commvault stores and protects” ¹, the core of the CISA alert highlights that “Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution… This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments”.⁵ Client secrets are credentials used by applications, such as Metallic, to programmatically interact with M365 services like Exchange Online, SharePoint Online, and OneDrive for Business. If these secrets are compromised, an attacker can effectively impersonate the Metallic application, thereby gaining the same level of access to the M365 environment that the application legitimately possesses. This access is to the live, operational M365 data and services—not merely the historical backup data stored by Commvault. Consequently, the risk extends far beyond the backup solution itself, potentially leading to the exfiltration of sensitive emails and documents, the execution of malicious email campaigns from trusted internal accounts, or further lateral movement within the victim organization’s broader cloud infrastructure.

2. Understanding the Threat: CVE-2025-3928 and the Commvault Metallic Incident

A thorough understanding of the vulnerability itself and the timeline of the incident is crucial for effective response and mitigation.

Vulnerability Deep Dive (CVE-2025-3928)

• Technical Nature: CVE-2025-3928 is described as an “unspecified vulnerability” within the Commvault Web Server.³ Its exploitation allows a remote, authenticated attacker to create and execute webshells on the affected server.³ A webshell is a malicious script uploaded to a web server that provides the attacker with a persistent, remote interface to execute arbitrary commands and maintain control over the compromised system. This capability essentially hands over the server to the attacker, even if their initial authenticated access was with limited privileges.²

• Affected Commvault Versions and Platforms: The vulnerability impacts several versions of the Commvault Web Server software across both Windows and Linux platforms.³ Organizations must verify their deployments against the following list:

  • Versions 11.36.0 through 11.36.45 (Fixed in version 11.36.46)
  • Versions 11.32.0 through 11.32.88 (Fixed in version 11.32.89)
  • Versions 11.28.0 through 11.28.140 (Fixed in version 11.28.141)
  • Versions 11.20.0 through 11.20.216 (Fixed in version 11.20.217)

• CVSS Score and Severity: The severity of CVE-2025-3928 is underscored by its high CVSS scores:

  • CVSS 3.1 Base Score: 8.8 (High).³ The vector is $CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H$.
    • Attack Vector: Network (AV:N): The vulnerability can be exploited remotely over a network.
    • Attack Complexity: Low (AC:L): It is considered easy to exploit once the prerequisite of authentication is met.
    • Privileges Required: Low (PR:L): The attacker does not need administrative privileges on the web server; any authenticated user account could potentially be used to exploit this flaw.²
    • User Interaction: None (UI:N): No interaction is required from any legitimate user for the vulnerability to be exploited.
    • Scope: Unchanged (S:U): The exploit impacts the security scope of the vulnerable component (the web server) but does not directly affect other systems’ security scopes through its immediate exploitation.
    • Confidentiality (C:H), Integrity (I:H), Availability (A:H): High: Successful exploitation can lead to a total loss of confidentiality, integrity, and availability of the Commvault Web Server.
  • CVSS 4.0 Score (CISA): 8.7 (High).⁴ The vector is $CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N$. This newer scoring system also reflects the critical nature of the vulnerability.

Incident Timeline & Scope

• Discovery and Notification: The chain of events began on February 20, 2025, when Microsoft notified Commvault of suspicious activity, attributed to a nation-state threat actor, within Commvault’s Azure environment.¹ Commvault promptly initiated an investigation and released an initial security advisory.¹ Further threat intelligence provided by Microsoft in April 2025 led to an updated advisory from Commvault.¹

• Public Disclosure and CISA KEV Addition: CVE-2025-3928 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on April 28, 2025.³ This addition signifies that CISA has evidence of active exploitation in the wild. Federal agencies were given a deadline of May 17 or May 19, 2025, to apply mitigations or discontinue use of the product.⁴ The primary CISA advisory specifically linking this activity to the Commvault Metallic M365 client secret compromise was issued on May 22, 2025.⁵

• Prevalence: The primary impact of this incident is on customers utilizing Commvault’s Metallic SaaS solution for M365 backup, which is hosted in Microsoft Azure.⁵ Given that M365 backup is a fundamental security measure for any organization leveraging the Microsoft 365 suite, the potential reach of this vulnerability is extensive, cutting across multiple industries. Commvault supports a large global customer base, reportedly exceeding 100,000 organizations.² While not all of these organizations will be using the Metallic M365 backup service, the strong adoption of Metallic, evidenced by its SaaS Annual Recurring Revenue (ARR) jumping 66% to $188 million ¹⁰, indicates a substantial number of potentially affected entities.

• Affected Customer Numbers: Commvault has stated that the breach directly affected “only a small number of customers”.² Similarly, the recommendation for customers to rotate their own application secrets was noted to apply to a “limited number of customers who themselves have control over Commvault’s application secrets”.⁵ However, precise figures or percentages regarding the number of impacted customers have not been publicly disclosed.

The timeline of this incident reveals a noteworthy period between the initial detection of suspicious activity within Commvault’s environment in February and the broader public advisory concerning the M365 client secret compromise in May. While comprehensive investigations undoubtedly require time, this gap suggests a window during which threat actors might have continued their operations. Furthermore, the fact that CVE-2025-3928 was exploited as a zero-day ² implies that the attackers possessed knowledge of and were utilizing this vulnerability before Commvault or the wider security community became aware of it and before patches were available. This period, potentially spanning from February to late April or May, is when customer M365 client secrets could have been exposed before the specific risk vector was widely communicated.

Table 1: CVE-2025-3928 Details

This table provides a concise summary critical for technical teams to quickly identify the vulnerability, assess its severity, and determine if their specific Commvault Web Server versions are affected, thereby streamlining remediation efforts. The KEV catalog information underscores the confirmed active exploitation and the urgency required in addressing this flaw.

3. Attack Vector Analysis: How Threat Actors Gained Access

Understanding the sequence of events and attacker methodologies is key to comprehending the full risk profile.

Initial Access & Exploitation (CVE-2025-3928)

• Requirement for Authenticated Access: A crucial aspect of CVE-2025-3928 is that its exploitation requires the attacker to be authenticated to the Commvault Web Server.³ This means the attacker must have already obtained valid user credentials for the system; the vulnerability itself does not provide this initial access. The attack also necessitates access to an internet-facing Commvault Web Server environment.⁶

• Exploitation Mechanism: Once an attacker has authenticated with valid credentials (even those with low privileges ²), they can leverage the unspecified flaw in the Commvault Web Server to upload and execute a webshell.³ This webshell then provides the attacker with persistent remote command execution capabilities on that specific server.

• Remote Exploitability: The vulnerability is confirmed to be remotely exploitable, as indicated by the “Network” (AV:N) component in its CVSS vector.

Risk Profile & Attack Scenarios

• Realistic Scenario: Based on the available information, a plausible attack scenario unfolds as follows:

  1. Initial Foothold (Credential Acquisition): The threat actor first obtains valid user credentials for a Commvault Web Server account. The exact method used in this specific breach is not detailed, but common techniques include phishing, password spraying, or exploiting other unrelated vulnerabilities.
  2. Exploitation of CVE-2025-3928: The attacker uses the acquired credentials to log into a vulnerable, internet-facing Commvault Web Server. They then exploit CVE-2025-3928 to upload and execute a webshell.
  3. Post-Exploitation on Web Server: With an active webshell, the attacker gains control over the Commvault Web Server. From this compromised position, they can perform reconnaissance, escalate privileges if possible, and search for sensitive information stored or processed by this server or accessible from it.
  4. Access to M365 Client Secrets: The CISA alert ⁵ and Commvault’s own statements ¹ clearly indicate that this webshell access, or subsequent actions taken from the compromised server, led to the potential compromise of Microsoft 365 client secrets. These secrets are associated with the Commvault Metallic SaaS application used for M365 backup. While the precise mechanism of how webshell access on a Commvault Web Server translated to the theft of M365 client secrets stored within Commvault’s Azure-hosted infrastructure is not explicitly detailed in the provided information, this step is the critical link in the attack chain. It is conceivable that these secrets were stored in configuration files, databases, or other repositories accessible from the compromised components of Commvault’s cloud environment.
  5. Customer M365 Environment Compromise: With the M365 client secrets in hand, the attackers can then authenticate to the respective customers’ M365 environments, impersonating the Commvault Metallic application.⁵

• Role of Phishing, Social Engineering, Insider Threats for Initial Authentication: While the specific method for obtaining initial credentials for the Commvault Web Server in this incident remains undisclosed, nation-state actors frequently employ sophisticated tactics such as spear-phishing campaigns, social engineering, or leveraging previously compromised credentials from other breaches.¹¹ Techniques like password spraying against exposed login portals are also common for gaining initial access to cloud services.¹³ An insider threat, although less commonly attributed in such advisories, also remains a theoretical possibility for initial credential compromise.

The “authenticated” prerequisite for exploiting CVE-2025-3928 is a pivotal detail. It implies that the zero-day vulnerability was likely one component in a more intricate, multi-stage attack orchestrated by the nation-state actor. The attackers needed to overcome the initial authentication barrier before they could leverage CVE-2025-3928. This could have involved exploiting an entirely different vulnerability, a successful phishing campaign targeting Commvault personnel or systems, or the exploitation of misconfigured or weakly secured Commvault web server instances exposed to the internet. The CISA alert’s mention of a potential “larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions” ⁵ suggests that initial access vectors might sometimes rely on common weaknesses rather than exclusively on zero-day exploits for the very first step into a target environment.

Exploitability & Attack Chain

• From Webshell to Client Secret Theft: The pivotal phase of the attack, following the successful deployment of a webshell on a Commvault Web Server, involved the attackers navigating within Commvault’s Azure-hosted infrastructure to locate and exfiltrate the M365 client secrets for the Metallic service. This likely entailed further reconnaissance to identify where these sensitive credentials were stored or managed, and then leveraging their compromised position to access them.

• Path to M365 Environment Compromise: Once an M365 client secret is stolen, an attacker can use it to request OAuth access tokens for the Microsoft Graph API or other M365 service APIs, effectively acting as the Commvault Metallic application.⁵ This grants them the permissions that have been assigned to that specific application’s service principal within the customer’s M365 tenant. These permissions could potentially include read/write access to emails in Exchange Online, files in OneDrive for Business and SharePoint Online, and data within Microsoft Teams.

• Potential for Deeper Infiltration:

  • Privilege Escalation: If the compromised Commvault Metallic application service principal within a customer’s M365 tenant has been granted excessive permissions (more than what is strictly necessary for its backup function), this could represent a form of privilege escalation for the attacker within that customer’s M365 environment.
  • Lateral Movement: Access to one M365 service (e.g., SharePoint) could be leveraged to access others, or compromised mailboxes could be used to send highly convincing internal phishing emails to further compromise user accounts or spread malware.
  • Persistence: The stolen application client secrets themselves offer a durable form of persistence until they are rotated and revoked. Attackers might also attempt to establish additional persistence mechanisms within the compromised M365 environment, such as creating new admin accounts or registering their own malicious applications.

• Known PoCs or Weaponized Exploits: The inclusion of CVE-2025-3928 in CISA’s KEV catalog ³ serves as definitive proof that it has been actively exploited in real-world attacks. The Commvault incident itself, where the vulnerability was used as a zero-day ², is a clear demonstration of its weaponization by sophisticated threat actors.

This incident highlights a concerning trend where attackers target the administrative or management infrastructure of an organization or its service providers—such as backup solutions—not solely for the data these systems might directly contain, but as a strategic pivot point to gain access to broader, often more valuable, cloud ecosystems like Microsoft 365. Backup systems, by their very nature, often require privileged access to the production systems they are designed to protect. If these backup systems or their management interfaces are compromised, that privileged access can be subverted by attackers, turning a defensive tool into an offensive vector.

MITRE ATT&CK Framework Mapping

Mapping the observed and inferred behaviors to the MITRE ATT&CK framework provides a standardized way to describe the attack and understand the tactics, techniques, and procedures (TTPs) involved.

• Initial Access (Hypothesized for Commvault Web Server):

  • T1078 (Valid Accounts): If attackers used stolen or reused legitimate credentials.
  • T1110.003 (Brute Force: Password Spraying): A common technique for obtaining credentials for cloud-based services by trying a few common passwords against many accounts.¹³
  • T1566 (Phishing): Could have been used to steal initial credentials from Commvault personnel or users with access to the web server.

• Execution (on Commvault Web Server):

  • T1505.003 (Server Software Component: Web Shell): This directly describes the core exploitation of CVE-2025-3928, where attackers deployed webshells after authenticating to the Commvault Web Server.³

• Credential Access (within Commvault’s environment leading to M365 client secrets):

  • The exact TTP is not specified in the available information. However, once the web server was compromised via the webshell, attackers could have used various techniques such as:
    • Searching for credentials in configuration files or scripts.
    • Accessing internal databases or secret management systems accessible from the compromised server.

• Impact & Subsequent Access (to Customer M365 Environments):

  • T1078.004 (Valid Accounts: Cloud Accounts): The compromised M365 application, using the stolen client secrets, acts as a legitimate, authenticated cloud account within the customer’s M365 tenant.¹⁵
  • T1528 (Steal Application Access Token): While client secrets are not access tokens themselves, their compromise directly enables an attacker to obtain OAuth access tokens for the M365 APIs by impersonating the legitimate application.¹⁷ This technique is highly relevant to the core impact of the client secret theft.
  • T1671 (Cloud Administration Command): If attackers, after gaining initial access via the compromised application, were able to further manipulate application registrations or grant new OAuth consents within the customer’s M365 environment (though less directly indicated here, it’s a related cloud TTP ¹⁹).

Table 2: MITRE ATT&CK Techniques Relevant to the Commvault Incident

This mapping to MITRE ATT&CK provides a standardized lexicon for discussing the attacker’s actions, aiding organizations in assessing their defensive posture against these specific behaviors and prioritizing security improvements.

4. Real-World Impact & Urgency

The implications of this security event are significant, underscored by several key factors.

• Active Exploitation in the Wild: The most pressing concern is the confirmed active exploitation of CVE-2025-3928. Its inclusion in CISA’s KEV catalog on April 28, 2025 ³, is a direct confirmation that threat actors were already leveraging this vulnerability in real-world attacks. The fact that it was exploited as a zero-day in the Commvault incident ² means attackers had weaponized it before a patch was available or the vulnerability was publicly known, giving them a considerable advantage.

• Nation-State Actor Attribution: Both Commvault and Microsoft have attributed the unauthorized activity to a nation-state threat actor.¹ This attribution carries significant weight, suggesting attackers with sophisticated capabilities, substantial resources, and likely strategic, long-term objectives rather than immediate financial gain.¹² Nation-state operations often focus on espionage, intellectual property theft, establishing persistent access for future operations, or disruption.

• Patch Adoption Status: While Commvault has released patches to address CVE-2025-3928 ³, the speed and completeness of patch adoption across all vulnerable customer environments remain unknown. CISA’s Binding Operational Directive 22-01, which mandates federal agencies to remediate KEV-listed vulnerabilities by specified deadlines (mid-May 2025 in this case ²), highlights the urgency. The subsequent CISA advisory on May 22, 2025, regarding the Metallic client secret compromise further emphasizes the need for prompt action by all affected organizations.⁵

• High-Profile Incident: This breach affecting Commvault and its Metallic M365 backup service constitutes a high-profile security incident. This is due to the confluence of factors: the involvement of a major, publicly-listed data protection vendor ²; the targeting of a widely adopted SaaS backup solution for the ubiquitous Microsoft 365 platform; the attribution to a nation-state actor; and the prominent alerts and KEV catalog inclusion by CISA.

• Potential Broader Campaign: CISA has indicated a belief that this threat activity “may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions”.⁵ This raises the alarming prospect that the Commvault incident might not be an isolated event but rather one facet of a more extensive operation by sophisticated actors aimed at compromising SaaS providers and their customers.

The involvement of a nation-state actor exploiting a zero-day vulnerability against a security vendor’s own infrastructure, with the ultimate goal of accessing that vendor’s customers’ cloud environments, represents a sophisticated and concerning evolution of supply chain attacks. It underscores the immense trust organizations place in their SaaS providers and the potentially cascading impact when that trust is compromised. The vendor, in this case Commvault, became an unwilling conduit for attackers to reach their end targets—the customers’ M365 tenants.

This incident serves as a stark reminder that even with robust internal security measures, reliance on third-party SaaS providers inherently introduces shared risks. The security of an organization’s Microsoft 365 environment is not solely dependent on its own configurations and controls but is also intertwined with the security posture of critical integrated services like Commvault Metallic. This situation powerfully emphasizes the necessity for rigorous and ongoing vendor due diligence, a clear and practical understanding of shared responsibility models in the cloud, and proactive measures to limit the potential blast radius should a third-party provider be breached.

5. Sector-Specific Risk Analysis & Recommendations

The compromise of M365 client secrets via a trusted backup provider like Commvault Metallic poses distinct and severe risks to various sectors, particularly Higher Education and Healthcare, due to the nature of the data they handle and their common IT operational characteristics.

Higher Education Institutions

• Typical IT Stack Vulnerabilities:

  • Heavy M365 Reliance: Universities and colleges extensively use Microsoft 365 for student and faculty email, collaborative research, file storage (OneDrive, SharePoint), and administrative functions.
  • Diverse and Transient User Base: Managing security for a large, diverse population of students, faculty, researchers, staff, and alumni, many of whom may have varying levels of security awareness and may use personal devices, presents significant challenges.
  • Complex Hybrid Environments: Many institutions operate a mix of modern cloud services alongside legacy on-premise systems, creating complex identity and access management scenarios.
  • Budgetary and Resource Constraints: Public and private educational institutions can face budget limitations that impact their ability to rapidly implement the latest security technologies or maintain large, specialized cybersecurity teams.
  • Open Collaboration Culture: The need for open collaboration in research and academic pursuits can sometimes conflict with stringent security controls.

• Specific Risks from this Incident:

  • Compromise of Sensitive Research Data: Microsoft 365 environments in higher education often store vast amounts of valuable research data, including pre-publication findings, proprietary algorithms, and intellectual property. Unauthorized access via compromised Metallic client secrets could lead to intellectual property theft, undermining research integrity and competitiveness.²⁰
  • Exposure of Student and Faculty Personally Identifiable Information (PII): M365 tenants hold significant PII for students, faculty, and staff (e.g., names, addresses, social security numbers, academic records). A breach could lead to identity theft, financial fraud, and severe reputational damage to the institution.
  • Disruption of Academic and Administrative Operations: Compromise of M365 could cripple email communication, access to course materials on SharePoint or Teams, online learning platforms, and critical administrative workflows, leading to widespread disruption.
  • Erosion of Trust: A significant data breach can erode the trust of students, faculty, alumni, and funding bodies.

• Tailored Preparation and Defense Strategies for Higher Education:

  • Aggressively Implement M365 Security Best Practices: Prioritize the adoption of CISA’s Secure Cloud Business Applications (SCuBA) project guidance for M365 ⁵ and Microsoft’s Zero Trust deployment plan.²¹
  • Enforce Granular Permissions for M365 Applications: Scrutinize and rigorously apply the principle of least privilege to all third-party applications integrated with M365, including backup solutions like Metallic.¹ Regularly audit Entra ID application registrations and service principal permissions.
  • Enhance M365 Logging and Active Monitoring: Ensure comprehensive logging is enabled for M365 services (Unified Audit Log, Entra ID sign-in and audit logs ⁵) and actively monitor for anomalous application behavior, suspicious sign-ins, or unusual data access patterns related to integrated applications.
  • Data Classification and Protection: Implement robust data classification schemes to identify sensitive research data and PII within M365. Apply appropriate protection measures, such as Microsoft Purview Information Protection (sensitivity labels, encryption), to this data.
  • Refine Incident Response Plans: Ensure incident response plans specifically address scenarios involving SaaS provider breaches and the compromise of M365 application credentials. Test these plans regularly.
  • Targeted User Training and Awareness: Conduct ongoing security awareness training focused on phishing, credential hygiene, recognizing compromised account behavior, and secure collaboration practices within M365.
  • Strengthen Vendor Risk Management: For institutions that manage their own application secrets for services like Metallic, ensure robust secret management practices, including secure storage and frequent rotation.⁵ For all third-party SaaS integrations, perform thorough security due diligence.

Healthcare Organizations

• Typical IT Stack Vulnerabilities:

  • Growing M365 Adoption for ePHI: Healthcare providers are increasingly using M365 for clinical communication, collaboration, and administrative tasks, often involving electronic Protected Health Information (ePHI).
  • Internet of Medical Things (IoMT): The proliferation of connected medical devices can expand the attack surface if these devices are not properly secured and segmented from primary networks.
  • Legacy Clinical Systems: Many healthcare organizations rely on legacy clinical applications that may be difficult to patch, secure, or integrate safely with modern cloud platforms.
  • Stringent Regulatory Compliance (HIPAA/HITECH): Healthcare is subject to strict data protection regulations, with significant penalties for non-compliance and breaches involving ePHI.
  • High-Pressure Environment: The fast-paced, critical nature of healthcare can sometimes lead to security shortcuts if controls are perceived as impeding patient care.

• Specific Risks from this Incident:

  • ePHI Breach and HIPAA Violations: The most significant risk is the unauthorized access to ePHI stored or communicated via M365 (emails, files in OneDrive/SharePoint, Teams messages). Such a breach would constitute a serious violation of the HIPAA Security and Privacy Rules, leading to mandatory breach notifications, substantial financial penalties, corrective action plans, and severe reputational harm.²²
  • Impact on Patient Care and Safety: Disruption to M365 services could critically affect clinical communication (e.g., between doctors, nurses, and specialists), access to patient information necessary for treatment decisions, and scheduling systems, potentially leading to delays in care or medical errors.
  • Operational Disruption: Healthcare operations are heavily dependent on the timely and secure flow of information. An M365 compromise could cripple administrative functions, billing, and clinical workflows, leading to significant operational disruption.
  • Compromise of Medical Research Data: Similar to higher education, many healthcare organizations conduct clinical trials and medical research. Unauthorized access to this data via M365 could lead to loss of valuable intellectual property.

• Tailored Preparation and Defense Strategies for Healthcare:

  • Strict Adherence to HIPAA Security Rule: All M365 configurations and third-party application integrations (such as Commvault Metallic) must be meticulously aligned with HIPAA’s technical, administrative, and physical safeguards.²² This includes robust access controls, audit controls, data integrity mechanisms, and transmission security.
  • Implement a Zero Trust Architecture: Adopt Zero Trust principles (“never trust, always verify”) for all access to M365 and any systems containing ePHI.²¹ This involves explicit verification for every access request, use of least privilege, and assuming breach.
  • Robust Business Associate Agreements (BAAs): Ensure comprehensive and legally sound BAAs are in place with all vendors (including Commvault/Metallic) that create, receive, maintain, or transmit ePHI on behalf of the covered entity. These BAAs must clearly define roles, responsibilities, and liability in the event of a security incident or breach.
  • Utilize M365 Data Loss Prevention (DLP): Configure and maintain M365 DLP policies to automatically detect, alert on, and prevent the unauthorized exfiltration or inappropriate sharing of ePHI.
  • Resilient and Verifiable Data Protection Strategy: While Metallic provides M365 backup, healthcare organizations must consider the implications if the live M365 environment is compromised. Ensure an overall data protection strategy that includes secure, potentially immutable, and regularly tested backups, with clear recovery time objectives (RTOs) and recovery point objectives (RPOs).
  • Conduct Regular and Thorough Risk Assessments: Perform periodic risk assessments that specifically focus on M365 security, third-party vendor integrations, and compliance with HIPAA requirements.
  • Well-Rehearsed Incident Response & Breach Notification Procedures: Maintain and regularly test an incident response plan that includes specific procedures for handling ePHI breaches, including timely notification to affected individuals, the Secretary of Health and Human Services (HHS), and potentially the media, as mandated by the HIPAA Breach Notification Rule.²²
  • Secure Endpoints Accessing M365: Implement strong endpoint security controls (EDR, patching, configuration management) on all devices (including personal devices under BYOD policies and medical devices, if applicable) that access M365 to prevent them from becoming entry points for attackers.

Both the higher education and healthcare sectors manage highly sensitive and valuable data—research intellectual property, extensive PII, and critical ePHI. Their increasing reliance on large, interconnected SaaS ecosystems like Microsoft 365, while offering significant productivity and collaboration benefits, also concentrates risk. An incident like the Commvault Metallic breach, where a vulnerability in a third-party backup solution provider’s infrastructure can directly threaten the primary M365 data environment of its customers ¹, demonstrates how this concentrated risk can manifest. It’s no longer just about securing one’s own perimeter; the security of integrated third-party services is paramount.

This situation should compel organizations in these sectors to critically re-evaluate how they manage third-party application permissions within their M365 tenants. The ease of SaaS integrations and the desire for enhanced functionality must be carefully weighed against the potential risks of granting overly permissive access or suffering from compromised vendor credentials. A passive “default allow” or a “set it and forget it” mentality towards M365 application integrations is a dangerous posture in the current threat landscape. Instead, a proactive, continuous lifecycle management approach for application permissions and credentials is required.

6. Comprehensive Mitigation and Detection Strategies

A multi-faceted approach is essential to address the risks posed by CVE-2025-3928 and the potential compromise of Commvault Metallic M365 client secrets.

Immediate Actions (Patching & Credentials)

• Apply Commvault Patches for CVE-2025-3928: This is the foundational and most critical step. Organizations must update their Commvault Web Server installations to the fixed versions: 11.36.46, 11.32.89, 11.28.141, or 11.20.217, as applicable.³ This action directly addresses the root vulnerability on the web server, preventing its future exploitation.

• Rotate Microsoft 365 Application Client Secrets: For all Commvault Metallic applications and their associated service principals within Microsoft Entra ID, client secrets must be rotated immediately.¹ This is particularly urgent for any secrets that were active or created between February and May 2025, the period during which the compromise may have occurred. Rotating these secrets invalidates any previously compromised credentials.

  • It is important to note CISA’s clarification that for some customers, Commvault manages these secrets and is undertaking the rotation.¹ However, for a “limited number of customers who themselves have control over Commvault’s application secrets” ⁵, the responsibility for rotation lies with the customer. Organizations must clearly identify their specific scenario and act accordingly.

• Establish Regular Credential Rotation Policies: Implement and enforce a policy for the regular rotation of all M365 application client secrets, including those used by Commvault Metallic and other third-party integrations. A rotation frequency of every 30 to 90 days is a recommended best practice.²

Technical Controls

• Implement Conditional Access Policies for Service Principals (Workload Identities):

  • A key defensive measure is to configure Conditional Access policies in Microsoft Entra ID to restrict how and from where application service principals (also known as workload identities), such as the one used by Commvault Metallic, can authenticate.² Specifically, limit authentication to approved IP address ranges. If Commvault provides a list of their service egress IP addresses, these should be used to create a “named location” in Entra ID, and the Conditional Access policy should be configured to only allow authentication from this trusted location.⁵ This can significantly mitigate the risk of compromised secrets being used from attacker-controlled infrastructure.
  • Implementing Conditional Access for workload identities typically requires Azure AD Premium P1 or P2 licenses and involves careful configuration of policies that target these non-human identities.²⁵

• Deploy a Web Application Firewall (WAF): Place a WAF in front of Commvault management interfaces, including the Web Server.⁵ A well-configured WAF can help detect and block malicious web traffic, including attempts to exploit web vulnerabilities, upload webshells, or perform path-traversal attacks.

• Restrict Network Access to Commvault Management Interfaces: Wherever feasible, limit network access to Commvault management interfaces to trusted internal networks and designated administrative systems only.⁵ Reducing the internet-exposed attack surface of these critical systems can prevent attackers from reaching them in the first place.

Monitoring & Detection

• Thorough Review of Microsoft 365 / Entra ID Logs: Conduct comprehensive reviews of Microsoft Entra ID audit logs, Entra ID sign-in logs, and the Microsoft 365 Unified Audit Log (UAL).¹ Focus on activity related to Commvault service principals or any M365 applications used for backup. Look for:

  • Anomalous sign-in attempts (unusual geographic locations, IP addresses not matching Commvault’s known ranges, unexpected frequency, suspicious user agents).
  • Unexpected permission grants, modifications to application registrations, or consent grants.
  • Suspicious data access patterns (e.g., large volume downloads, access to unusual mailboxes or sites) by the application.
  • Commvault has stated they are providing Indicators of Compromise (IOCs) to assist customers with these investigations.¹ These IOCs should be actively used in threat hunting.

• Monitor Commvault Web Server Logs: Scrutinize logs on Commvault Web Servers, paying close attention to activity in unexpected directories, especially web-accessible paths.⁵ Look for evidence of suspicious file uploads, modifications, or execution that could indicate webshell activity.

• Intrusion Detection/Prevention System (IDS/IPS) Rules: Implement or update IDS/IPS signatures to detect known webshell traffic patterns and exploitation attempts targeting Commvault systems.

• Endpoint Detection and Response (EDR) on Commvault Servers: Ensure robust EDR capabilities are deployed and active on all Commvault servers. EDR can help detect malicious processes, file modifications, or network connections resulting from webshell execution or other post-exploitation activities.

Proactive Measures & Best Practices

• Enforce the Principle of Least Privilege:

  • Rigorously review and revalidate the permissions granted to all application registrations and service principals in Microsoft Entra ID that are used by Commvault Metallic (and other third-party applications).¹ Ensure these applications only possess the absolute minimum set of permissions required for their legitimate functions. Remove any excessive, unused, or overly broad permissions.
  • Avoid granting broad administrative consent to applications unless there is a clear, documented, and thoroughly vetted business need.

• Implement CISA’s SCuBA Project Recommendations: Adopt and implement the general M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) Project.⁵ This initiative provides valuable, actionable guidance for hardening M365 tenants against a variety of threats.

• Secure Management of Application Secrets: For any application secrets that are managed by the customer (rather than the SaaS vendor), ensure they are stored securely, for example, in a dedicated secrets management solution like Azure Key Vault. Avoid hardcoding secrets in scripts, configuration files, or source code.²⁶

• Ongoing User Training and Awareness: While this specific incident involves a server-side exploit, a well-informed user base is a critical layer of defense. Continue regular user training on phishing awareness, strong credential hygiene, and how to recognize and report signs of M365 account compromise.

• Update Incident Response Plans: Review and update the organization’s incident response plan to explicitly include scenarios involving breaches at SaaS providers and the compromise of cloud application credentials. Ensure clear procedures for containment, eradication, recovery, and communication.

The array of recommended mitigations underscores the necessity of a defense-in-depth strategy. Patching the specific CVE is a crucial reactive measure to close the known entry point. Rotating potentially compromised secrets addresses the immediate fallout. However, proactive and preventative measures like implementing Conditional Access policies for service principals, deploying WAFs, restricting network access, and consistently applying the principle of least privilege are essential for reducing the likelihood and impact of future, similar attacks. No single control can be a panacea; resilience is built through multiple, overlapping layers of security.

This incident, and the subsequent guidance from CISA and Commvault, is also indicative of a broader maturation in cloud security thinking, particularly concerning the identity and access management of non-human identities like service principals and workload identities. The strong emphasis on leveraging Conditional Access policies for service principals ⁵ is a prime example of this evolution. Historically, many advanced IAM controls in Azure AD were primarily focused on user identities. This event highlights that application identities are equally, if not more, critical in cloud environments due to the often extensive permissions they hold, and thus require the same level of granular security controls and continuous monitoring. Microsoft’s increasing focus on “Workload Identities” as first-class citizens in Entra ID further supports this important trend.⁵

Table 3: Prioritized Mitigation Checklist for CVE-2025-3928 & Metallic M365 Secret Compromise

This checklist provides a structured path for organizations to address the immediate threats and implement longer-term improvements to their security posture in light of this incident.

7. Key Takeaways & Actionable Recommendations for Briefings

Communicating the nuances of this incident effectively to both technical teams and leadership is paramount.

• Concise Summary of Threat & Implications (for non-technical leadership):

  • “A critical security flaw, identified as CVE-2025-3928, in our Commvault backup software was actively exploited by highly sophisticated attackers, believed to be nation-state actors. This exploitation allowed them to potentially access credentials that our Commvault Metallic service uses to connect to our Microsoft 365 environment. While Commvault reports that our backed-up data itself was not breached by them, the stolen M365 credentials could grant attackers unauthorized access to our live Microsoft 365 services, including emails, shared files, and collaborative platforms. This is a serious incident that requires immediate and ongoing attention.”
  • “This attack utilized a ‘zero-day’ vulnerability, meaning the attackers exploited it before a fix was publicly known or available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed this vulnerability is being actively exploited in the wild, underscoring the urgency.”

• Prioritized List of Actions for Security Teams:

  • Immediate Response: The absolute top priorities are to patch all vulnerable Commvault Web Server instances to remediate CVE-2025-3928 and to rotate all Microsoft 365 application client secrets associated with Commvault Metallic. Concurrently, an intensive review of Microsoft 365 and Entra ID logs must be initiated, leveraging any Indicators of Compromise (IOCs) provided by Commvault, to search for evidence of unauthorized access or anomalous activity.
  • Short-Term Hardening: Swiftly implement IP-based Conditional Access policies in Microsoft Entra ID to restrict where the Commvault M365 service principal can authenticate from. Conduct a thorough review of all permissions granted to M365 applications, particularly Commvault Metallic, and enforce the principle of least privilege, revoking any unnecessary access. If not already in place, deploy and configure a Web Application Firewall (WAF) to protect Commvault management interfaces.
  • Ongoing Vigilance: Establish and maintain a policy for the regular rotation of all M365 application credentials. Continuously monitor M365 and Commvault server logs for suspicious activities. Stay abreast of emerging threats and advisories from CISA and software vendors, ensuring timely application of future patches and security updates.

• Communication Points for Leadership:

  • Quantifiable Risk: Clearly articulate the potential business impact: unauthorized access to sensitive corporate data, customer information, or intellectual property stored in M365; potential for operational disruption if M365 services are maliciously manipulated; significant reputational damage if a breach is confirmed and becomes public; and potential regulatory fines or legal action, especially for organizations in sectors like Healthcare (HIPAA) or those handling PII in Higher Education.
  • Coordinated Response: Outline the concrete steps already taken (e.g., patching, secret rotation, initiation of forensic investigation) and the planned security enhancements to provide assurance that the incident is being managed effectively.
  • Resource Allocation: If the incident response or subsequent hardening efforts require additional tools, specialized personnel, or budget, this is the time to articulate those needs clearly, linking them directly to risk reduction.
  • Third-Party Vendor Risk Management: Emphasize that this incident underscores the inherent risks associated with third-party SaaS providers. Propose a review and strengthening of the organization’s vendor risk management program, particularly for critical services that integrate deeply with core platforms like M365.
  • Broader Threat Landscape: Inform leadership that CISA suspects this may be part of a wider campaign targeting SaaS providers.⁵ This context reinforces the need for sustained vigilance and proactive security investments, as this is not an isolated threat.

When briefing leadership and stakeholders, it’s essential to strike a balance between conveying the genuine urgency and seriousness of the situation and presenting a clear, calm, and actionable plan. Over-sensationalizing the threat can lead to unproductive panic, while downplaying it can result in insufficient support for necessary actions. The core message should revolve around the potential compromise of the live M365 environment stemming from a breach at a trusted third-party vendor, and the decisive steps being taken to mitigate this risk.

This incident should serve as a potent catalyst within organizations to champion and reinforce the importance of adopting a Zero Trust security mindset. The traditional perimeter-based security model is insufficient when critical data and services reside in the cloud and are accessed via a complex web of first-party and third-party applications. The Commvault/Metallic breach is a practical, real-world illustration of the core Zero Trust tenets: “assume breach” (a trusted vendor was compromised) and “verify explicitly” (all access, including by applications, must be continuously validated and restricted). Using this event as a case study can make abstract security concepts like Zero Trust more tangible and compelling, thereby facilitating the necessary cultural shifts and securing the commitment required to implement robust, modern security controls across the enterprise.

We warned you it was deep.    You arent earning those CPE credits for nothing!

Continuing Professional Education (CPE) Credit

Earn CPE credits for reading this Security Blotter article. All Security Blotter articles that come with a Deep Dive section are eligible to earn free CPEs for you, the reader.  Our articles include all issues, incidents, and bulletins to relevant Infosec standards and best practices. We have documented your CPE submission below for your convenience and because we love you (in a platonic way).