Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent updated advisory highlighting cyber threat activity targeting Commvault’s Metallic Software-as-a-Service (SaaS) platform, which is widely used to back up Microsoft 365 environments.
As of May 2025, threat actors reportedly leverage stolen credentials to gain unauthorized access to service principals, prompting serious concerns about cloud supply chain security and elevated privilege abuse across enterprise networks.
What Is Commvault Metallic and Why Does It Matter
Commvault’s Metallic is a cloud-based backup and recovery service hosted on Microsoft Azure. It allows enterprises to back up Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 data. Because it connects directly to the enterprise Microsoft Entra ID (formerly Azure AD), any compromise in its configuration or credentials can have devastating downstream effects.
In this case, attackers may have accessed stored client secrets used by Metallic to authenticate with Microsoft 365 environments. These secrets can act like keys to an organization’s entire cloud infrastructure.
Timeline of Activity
CISA’s May 22 advisory is an update to a broader investigation into threat actors exploiting default configurations and poorly secured service accounts across multiple cloud platforms. The advisory links the Commvault incident to a growing number of similar supply chain attacks, wherein attackers:
- Exploit misconfigured cloud applications
- Abuse of elevated privileges
- Move laterally across SaaS and identity infrastructures
The precise number of affected organizations remains unknown, but the shared nature of SaaS platforms suggests the potential for widespread impact.
Key Threat Indicators and Attack Surface
According to the advisory, attackers exploited vulnerabilities in storing or managing credentials within the Metallic SaaS platform. They then used these secrets to authenticate against customers’ Microsoft Entra ID environments.
Affected organizations may observe the following behaviors:
- Unexpected sign-ins using Commvault service principals
- Unauthorized modifications to service principal credentials
- Elevated permissions granted to applications without administrator review
- Lateral movement into broader M365 environments
This pattern suggests a well-orchestrated campaign focused on supply chain exploitation through trusted cloud vendors.
Recommended Immediate Actions
CISA has outlined a comprehensive set of mitigation steps. Based on Cyble’s threat intelligence and best practices, we strongly encourage organizations to implement the following controls:
1. Audit Service Principal Activity
Review Microsoft Entra audit logs for unusual activity involving Commvault-managed identities. Key events to monitor include:
- Credential updates
- Sign-ins from suspicious IP ranges
- Creation of new credentials
- Consent grants involving high-privilege scopes
2. Enforce Conditional Access
For single-tenant applications, restrict authentication to only IP addresses within Commvault’s known allowlisted ranges. This reduces the chance of stolen credentials being used from foreign infrastructure.
3. Rotate Application Secrets Immediately
If your organization used Commvault’s Metallic solution before May 2025, assume compromise and rotate credentials. From then on, set policies to auto-rotate secrets every 30 days.
4. Review OAuth and Graph API Permissions
Applications often request elevated Graph API scopes, such as Mail.ReadWrite or Files.Read.All. Audit existing app consents and remove those not essential for operations. Ensure admin consent was granted correctly.
5. Implement Secure Cloud Baselines
Follow CISA’s Secure Cloud Business Applications (SCuBA) guidance. These baselines help limit excessive privileges, enforce MFA, and reduce lateral movement paths.
6. Enable Unified Audit Logging
If not already enabled, turn on Microsoft 365’s unified audit logging to track Exchange, SharePoint, Teams, and Entra activities in a single dashboard. This is critical for long-term forensics.
On-Premise Commvault Customers Are Also at Risk
Although the focus remains on the Metallic SaaS platform, customers using on-premises Commvault installations are also advised to harden their configurations.
Recommendations include:
- Restricting UI access to trusted internal IPs
- Deploying a Web Application Firewall (WAF) to block path traversal or malicious uploads
- Monitoring for unusual activity originating from installation directories
- Removing any public-facing management portals
- Applying all available patches from Commvault promptly
CVE-2025-3928: A Known Exploited Weakness
CISA has added CVE-2025-3928—a vulnerability related to credential storage—to its Known Exploited Vulnerabilities (KEV) catalog. This move requires all federal civilian executive branch agencies to remediate the issue by a specified deadline.
Enterprises in regulated sectors such as healthcare, financial services, and energy should treat this as a high-severity incident and act accordingly.
Why This Attack Matters to the Broader Ecosystem
The Commvault advisory is part of a broader pattern of attacks exploiting the trust boundaries between SaaS providers and identity infrastructures. As organizations increasingly adopt SaaS platforms, their attack surface now includes:
- Third-party cloud vendors with default configurations
- Overprivileged service principals
- Long-lived credentials with no rotation policies
- OAuth tokens and consent mechanisms
Once attackers gain access to a service principal, they can impersonate the application to access customer data, create new users, or exfiltrate sensitive information—all while hiding in legitimate activity logs.
This highlights the critical need to treat SaaS security as an extension of your zero-trust strategy.
Incident Response and Reporting
If your organization suspects compromise:
- Disconnect suspicious service principals immediately
- Reset associated credentials
- Notify internal response teams
- Report incidents to National CERTs
Enterprises are also encouraged to engage with trusted threat intelligence vendors to conduct a broader compromise assessment.
Final Thoughts
The exploitation of Commvault’s Metallic SaaS platform underlines a dangerous evolution in attacker tactics. Instead of brute-forcing user accounts or exploiting endpoints, threat actors are now targeting trusted service relationships between SaaS platforms and cloud identity providers.
Organizations that do not have full visibility into these service relationships—and do not regularly audit and rotate application secrets—may be blind to these threats. As supply chain attacks continue to evolve, so must our defenses.
