CISA Warns of Cyber Threats Targeting Commvault’s Microsoft Azure Services

WASHINGTON, D.C. — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Thursday that Commvault is dealing with cyber threats aimed at applications hosted in its Microsoft Azure cloud environment.

CISA warned that threat actors might have gained access to client secrets for Commvault’s Metallic Microsoft 365 backup software-as-a-service solution. This unauthorized access could allow cybercriminals to infiltrate customers’ M365 environments, which rely on application secrets stored by Commvault.

The agency’s advisory highlights a potential connection to a larger campaign targeting various software-as-a-service providers. This campaign exploits vulnerabilities related to default configurations and elevated permissions, raising alarms across the tech industry.

This warning follows a revelation from Commvault that Microsoft alerted the firm in February 2025 regarding unauthorized activity, which was attributed to a nation-state threat actor. This incident exploited a zero-day vulnerability in the Commvault Web Server, enabling attackers to create and execute web shells.

In an official statement, Commvault said, “Based on industry experts, this threat actor uses sophisticated techniques to gain access to customer M365 environments.” The company also noted that the attackers might have accessed app credentials that certain customers use for M365 authentication.

Commvault emphasized that it has taken multiple remedial actions, including rotating app credentials for M365, and has confirmed that there has been no unauthorized access to customer backup data.

To address these threats, CISA recommends that users and administrators adhere to specific security guidelines. The agency continues to investigate the malicious activity in partnership with various organizations as part of its effort to secure vulnerable cloud infrastructures.