Experts sound the alarm, while corporations pretend it’s business as usual.
Commvault, a major provider of enterprise data backup solutions, has confirmed that its Microsoft Azure environment was compromised in a state-sponsored attack exploiting a previously unknown zero-day vulnerability — CVE-2025-3928. While the company claims there’s no evidence of unauthorized access to customer data, the breach raises serious questions about security in Microsoft’s cloud infrastructure.
The suspicious activity was first detected on February 20, following an alert from Microsoft itself. The attackers exploited a zero-day flaw, now officially tracked as CVE-2025-3928, prompting immediate credential resets and enhanced security measures across affected systems.
According to Commvault, only a limited number of customers were impacted, specifically those using joint services with Microsoft. Backup data was reportedly not compromised, and business operations continued without disruption.
When Paranoia Becomes Common Sense
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-3928 to its catalog of actively exploited vulnerabilities. Federal agencies have been ordered to patch Commvault Web Servers by May 17, 2025.
Recommended mitigation steps include:
- Enforcing Conditional Access policies across all registered Microsoft 365, Dynamics 365, and Azure AD applications within a tenant.
- Rotating and syncing client secrets between Azure and Commvault at least every 90 days.
- Monitoring login activity for suspicious IP addresses not on approved lists.
Notably, the following IP addresses were flagged for malicious activity and should be immediately blocked in access policies:
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53
- 159.242.42.20
Attempts from these IPs should be logged and reported to Commvault's support team for further investigation.
Broader Implications
While Commvault insists the incident was contained, the breach is yet another reminder of the growing threat landscape targeting cloud-based infrastructures. State-sponsored cyber operations are becoming more sophisticated, and corporate cloud tenants remain prime targets.
This case underscores the urgent need to reevaluate cloud security protocols — especially when sensitive enterprise and government data is at stake. Even small-scale intrusions can be the tip of the spear for much broader espionage or sabotage efforts.
Would you like this turned into a press-ready bulletin or internal security briefing format?
