Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Active Exploitation of High-Severity Vulnerability in Commvault Software

27 May 2025

Commvault has released security updates to address a high-severity vulnerability (CVE-2025-3928) in its products. Users and administrators of the affected products are advised to update to the latest versions.

Background

Commvault has released security updates to address a high-severity vulnerability (CVE-2025-3928) in its products. 

Impact

Successful exploitation of vulnerability could allow a remote authenticated attacker to gain unauthorised access to Commvault's customers' M365 environments that have application secrets stored by Commvault and create and execute web shells.

Known Exploitation

This vulnerability is reportedly being actively exploited in (Metallic) Software-as-a-Service (SaaS) platform, which is used for Microsoft 365 (M365) backups.

Affected Products

The vulnerability affects the following Windows and Linux versions of Commvault:

  • 11.36.0 - 11.36.45 (Fixed in 11.36.46)

  • 11.32.0 - 11.32.88 (Fixed in 11.32.89)

  • 11.28.0 - 11.28.140 (Fixed in 11.28.141)

  • 11.20.0 - 11.20.216 (Fixed in 11.20.217)

Mitigation

Users and administrators of the affected products are advised to update to the latest versions and review access logs for any signs of unauthorised activity. Organisations should also rotate credentials and client secrets where applicable and monitor for indicators of compromise (IOCs) provided by security advisories. For Commvault SaaS customers, all necessary patches, including those addressing this vulnerability, are automatically deployed by Commvault. No customer action is required.

References

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html

Back to top