Article Details
Scrape Timestamp (UTC): 2025-05-23 05:21:47.597
Source: https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html
Original Article Text
Click to Toggle View
CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells. "Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments," Commvault said in an announcement. "This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments." Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data. To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines - CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it's continuing to investigate the malicious activity in collaboration with partner organizations.
Daily Brief Summary
CISA reported Commvault's observation of cyber threats exploiting vulnerabilities in applications on Microsoft Azure.
Unauthorized access to Commvault's Metallic M365 backup SaaS solution was identified, stemming from compromised client secrets.
The incident suggests a larger campaign against SaaS providers, exploiting default configurations and excessive permissions.
A nation-state actor exploited a zero-day in the Commvault Web Server, leading to potential unauthorized command executions.
Despite the breach, Commvault confirmed no unauthorized access to customer backup data; remedial steps include rotating application credentials.
CISA has added the exploited vulnerability (CVE-2025-3928) to its Known Exploited Vulnerabilities Catalog and is investigating further with partners.
The agency emphasized the need for enhanced security practices among users and administrators of SaaS applications to prevent similar breaches.