Do Son 
The enterprise data backup platform Commvault has disclosed a compromise of its Microsoft Azure environment, linked to an attack that exploited a previously unknown vulnerability—now tracked as CVE-2025-3928. According to the company, the incident was initiated by a state-sponsored actor; however, there is currently no evidence of unauthorized access to customer data.
Commvault became aware of the suspicious activity on February 20, after receiving a security notification from Microsoft. The attack involved the use of a zero-day vulnerability that was later assigned the identifier CVE-2025-3928.
In response, the company promptly rotated the compromised credentials and implemented enhanced security measures. Commvault stated that the breach affected only a limited number of clients operating in collaboration with Microsoft. The company emphasized that backup data remained secure and that neither operational continuity nor service delivery was disrupted.
The vulnerability CVE-2025-3928 has since been added to the U.S. Cybersecurity and Infrastructure Security Agency’s catalog of actively exploited vulnerabilities. Federal agencies have been directed to mitigate the threat by patching affected Commvault Web Server instances no later than May 17, 2025.
Additional recommendations were issued to help prevent similar attacks. These include enforcing conditional access policies across all registered Microsoft 365, Dynamics 365, and Azure AD applications within a single tenant. It is also advised to perform routine synchronization and rotation of client secrets between the Azure portal and Commvault at least once every 90 days.
Beyond technical mitigations, the advisory underscores the importance of vigilant sign-in activity monitoring. Users are encouraged to track logins originating from IP addresses outside of approved ranges. Notably, the following IPs have been associated with malicious activity: 108[.]69[.]148[.]100, 128[.]92[.]80[.]210, 184[.]153[.]42[.]129, 108[.]6[.]189[.]53, and 159[.]242[.]42[.]20. These should be immediately blocked within conditional access policies, and any login attempts from these addresses should be logged and forwarded to Commvault’s technical support team for further analysis.
Overall, the incident highlights the critical need for continuous reassessment of cloud infrastructure security configurations—especially in the face of potentially state-coordinated cyber campaigns. Though the breach was limited in scope, its disclosure serves as a timely reminder to reinforce protective measures across all layers of the corporate IT landscape.
