Commvault, a number one supplier of knowledge safety options, says a nation-state menace actor who breached its Azure surroundings did not acquire entry to buyer backup information.
Listed on NASDAQ since March 2006, Commvault is included within the S&P MidCap 400 Index and offers cyber resilience providers to over 100,000 organizations.
As the corporate first revealed on March 7, 2025, Commvault found the incident after being notified by Microsoft on February 20 of suspicious exercise inside its Azure surroundings. A follow-up investigation into the breach discovered that the incident solely affected a small variety of Commvault prospects and had not impacted the corporate’s operations.
“Importantly, there was no unauthorized entry to buyer backup information that Commvault shops and protects, and no materials influence on our enterprise operations or our potential to ship services,” Danielle Sheer, the corporate’s Chief Belief Officer, mentioned in a Wednesday replace.
“We’re working intently with two main cybersecurity corporations and are coordinating with the suitable authorities, together with the FBI, Cybersecurity and Infrastructure Safety Company (CISA), and others.”
In a help doc containing indicators of compromise, Commvault advises prospects to use a Conditional Entry coverage to all Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations to guard their information in opposition to related assault makes an attempt.
It additionally advisable to recurrently monitor sign-in exercise to detect entry makes an attempt originating from IP addresses outdoors of allowed ranges and to rotate and sync shopper secrets and techniques between Commvault and the Azure portal each 90 days.
“This can assist rapidly determine potential safety breaches or account compromises. If any unauthorized entry is detected, instantly report the incident to Commvault Assist for additional investigation and remediation,” the corporate says.
The corporate additionally famous within the unique disclosure that the menace actors exploited a now-patched zero-day vulnerability (CVE-2025-3928) in its Commvault Internet Server software program that distant authenticated attackers with low privileges can exploit remotely to plant webshells heading in the right direction servers.
CISA has additionally added the CVE-2025-3928 vulnerability to its Identified Exploited Vulnerabilities Catalog on Monday, requiring federal companies to safe their Commvault software program by Might 19, 2025, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
“These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA warned.
