Commvault Confirms Zero-Day Exploit Used in Azure Breach by Nation-State Hackers

Enterprise data backup provider Commvault has confirmed that a nation-state threat actor exploited a zero-day vulnerability—CVE-2025-3928—to breach its Microsoft Azure environment. However, the company stressed that there is no evidence of any unauthorized access to customer backup data.

“This activity impacted a small number of customers that we share with Microsoft,” Commvault stated in an official update. “We are actively working with those customers to provide support and guidance.”

Crucially, Commvault emphasized that the breach did not compromise any of the customer backup data it manages, nor did it disrupt its business operations or its ability to deliver services.

According to an advisory issued on March 7, 2025, Commvault was alerted by Microsoft on February 20 about suspicious activity within its Azure infrastructure. The investigation revealed that the attackers had exploited CVE-2025-3928 as a previously unknown (zero-day) vulnerability. In response, the company rotated impacted credentials and implemented stronger security measures.

The incident gained further attention when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog. CISA has now mandated that all Federal Civilian Executive Branch (FCEB) agencies apply patches to Commvault Web Server systems by May 19, 2025.

To protect against similar attacks, Commvault is recommending that customers:

  • Apply Conditional Access policies to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations.
  • Rotate and synchronize client secrets between the Azure portal and Commvault every 90 days.
  • Monitor login activity for access attempts from unrecognized IP addresses.

Commvault specifically flagged the following IP addresses as linked to malicious activity:

  • 108.69.148.100
  • 128.92.80.210
  • 184.153.42.129
  • 108.6.189.53
  • 159.242.42.20

“These IPs should be blocked explicitly in your Conditional Access policies,” the company advised. “Monitor your Azure sign-in logs, and if any attempts are detected from these addresses, report them to Commvault Support immediately for further investigation.”