Active Exploitation of High-Severity Vulnerability in Commvault Software

Background

Commvault has released security updates to address a high-severity vulnerability (CVE-2025-3928) in its products. 

Impact

Successful exploitation of vulnerability could allow a remote authenticated attacker to gain unauthorised access to Commvault's customers' M365 environments that have application secrets stored by Commvault and create and execute web shells.

Known Exploitation

This vulnerability is reportedly being actively exploited in (Metallic) Software-as-a-Service (SaaS) platform, which is used for Microsoft 365 (M365) backups.

Affected Products

The vulnerability affects the following Windows and Linux versions of Commvault:

• 11.36.0 - 11.36.45 (Fixed in 11.36.46)

• 11.32.0 - 11.32.88 (Fixed in 11.32.89)

• 11.28.0 - 11.28.140 (Fixed in 11.28.141)

• 11.20.0 - 11.20.216 (Fixed in 11.20.217)

Mitigation

Users and administrators of the affected products are advised to update to the latest versions and review access logs for any signs of unauthorised activity. Organisations should also rotate credentials and client secrets where applicable and monitor for indicators of compromise (IOCs) provided by security advisories. For Commvault SaaS customers, all necessary patches, including those addressing this vulnerability, are automatically deployed by Commvault. No customer action is required.

References

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html