CVE-2025-3928: What the Commvault Breach Means for Your Business

What Just Happened with Commvault?

Imagine you’re running backups like a responsible business owner. Everything’s in the cloud, neatly stored in Microsoft 365 via Commvault’s Metallic SaaS solution. You’ve got peace of mind until a threat actor comes knocking… without using the front door.

That’s what happened recently, and CISA (yes, the U.S. Cybersecurity and Infrastructure Security Agency) is sounding the alarm.

 The Breach Breakdown

Who got targeted? Commvault’s Metallic backup software specifically the version hosted on Microsoft Azure.

How bad is it? Threat actors got hold of application secrets  basically digital keys — that let them sneak into some customers’ Microsoft 365 environments.

Was your data touched? Commvault says no customer backup data was accessed, but they aren’t sugar-coating it secrets were exposed.

 So… How Did They Get In?

This wasn’t your average “guess the password” hack. This was:

Zero-day exploitation of a vulnerability now identified as CVE-2025-3928  a flaw in the Commvault Web Server.

Nation-state-level tactics. (Yes, the serious kind.)

Abuse of default cloud configurations and overly-permissive roles in Azure environments

The following IP addresses have been associated with malicious activity –

• 108.69.148.100
• 128.92.80.210
• 184.153.42.129
• 108.6.189.53, and
• 159.242.42.20

“These IP addresses should be explicitly blocked within your Conditional Access policies and monitored in your Azure sign-in logs,” 

💬 Final Word from TechSquad

“Handle your business. Let us handle the IT.”

Before that next app gets approved, that next integration gets rolled out, or that next breach makes the news  reach out to us.

We’ll help you lock it down, so you can sleep at night.

Stay protected with TechSquad!