Commvault, a leading enterprise data backup platform, has confirmed that its Microsoft Azure environment was breached by an unidentified nation-state threat actor utilizing the CVE-2025-3928 vulnerability. Despite the breach, the company reassured clients that there is no evidence of unauthorized access to customer backup data, emphasizing the integrity of its business operations.
In an update, Commvault stated, “This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance.” The company’s commitment to customer security was highlighted by their assurance that no material impact has been observed on their ability to deliver products and services.
The breach came to light following an advisory issued by Commvault on March 7, 2025, after being notified by Microsoft on February 20 about unauthorized activity. The advisory reveals that the relevant threat actor exploited the zero-day vulnerability, prompting the company to rotate affected credentials and enhance security measures.
This incident coincides with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply necessary patches for Commvault Web Server by May 19, 2025. Commvault has also advised its customers to implement Conditional Access policies for all Microsoft 365 and Azure services, as well as to monitor sign-in activity for suspicious access attempts.
To further protect against potential threats, Commvault recommended that customers block a specific list of IP addresses associated with malicious activity, and report any unauthorized access attempts to their support team for further analysis.
As the situation evolves, Commvault continues to work collaboratively with affected parties to ensure the robustness of its security posture. The commitment to customer safety remains a priority amid rising cybersecurity threats.