Another day, another zero-day. And this time, it’s Commvault—the enterprise backup giant—caught in the storm cloud. Specifically, their Microsoft Azure environment was briefly compromised by a still-unnamed nation-state actor using CVE-2025-3928, a zero-day now added to CISA’s Known Exploited Vulnerabilities (KEV) list.
But before you cancel your backup subscriptions and go full doomsday-prepper with USB sticks, here’s the good news: no unauthorized access to stored customer backup data was detected.
“Cybersecurity joke: I told my cloud provider a joke. They said it was too sensitive and encrypted it immediately.”
So, What Happened?
Let’s break it down:
- On February 20, 2025, Microsoft notified Commvault of suspicious activity in their Azure environment.
- The attack was traced back to CVE-2025-3928, a zero-day vulnerability in Commvault’s web server software.
- The threat actor? Likely nation-state sponsored (so not your average script kiddie with a caffeine addiction).
- Commvault responded quickly: rotated credentials, boosted security, and issued public advisories.
Commvault emphasized that this impacted only a small number of customers, and there was no breach of backup data.
The Zero-Day That Made the KEV List
CVE-2025-3928 has officially joined the Cybersecurity & Infrastructure Security Agency (CISA) KEV catalog. Translation? It’s serious enough that Federal Civilian Executive Branch (FCEB) agencies must patch it by May 19, 2025.
If CISA’s putting a deadline on it, you can bet it’s not just a theoretical threat.
So, What Should You Be Doing? (Besides Panicking)
1. Apply Conditional Access Policies
Make sure Microsoft 365, Dynamics 365, and Azure AD app registrations have Conditional Access policies applied.
2. Rotate & Sync Client Secrets Every 90 Days
Yes, it’s annoying. Yes, it matters. Secrets age like milk, not wine.
3. Block These IPs Immediately
Commvault flagged these as malicious:
108.69.148.100128.92.80.210184.153.42.129108.6.189.53159.242.42.20
Update your Conditional Access policies to block these, and monitor sign-in logs like your job depends on it. (Spoiler: it might.)
“There are only two types of cloud users: those who log sign-in attempts… and those who learn about intrusions from Microsoft.”
Damage Report: Minimal but Meaningful
According to Commvault:
- No backup data was accessed
- No material impact on business operations
- But still… a wake-up call for every organization relying on third-party cloud integrations
The event reminds us that supply chain trust is only as strong as its weakest credential sync.
Final Thought: Backups Aren’t Just for Data—They’re for Trust
Even in a breach, Commvault showed how proactive, transparent communication and swift security response can maintain customer trust. But don’t let their clean-up crew do all the heavy lifting for you. Patch, monitor, audit—and never trust a token that hasn’t been rotated.
Because if a nation-state hacker wants in, the least you can do is make them work for it.