Commvault, a leading enterprise data backup provider, has officially disclosed a cyberattack on its Microsoft Azure environment, marking a new data breach at Commvault. According to the company, the Commvault data breach resulted from a zero-day vulnerability, CVE-2025-3928, which was exploited by what it describes as a nation-state threat actor.
The Commvault cyberattack, first publicly acknowledged on March 7, 2025, was initially detected after Microsoft alerted the company on February 20 about unauthorized activity within its cloud infrastructure.
A subsequent investigation revealed that the attacker leveraged CVE-2025-3928—a vulnerability serious enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now included it in its Known Exploited Vulnerabilities (KEV) catalog.
Federal agencies are required to patch this vulnerability by May 19, 2025.
Response to Commvault Data Breach and Customer Assurance
Despite the Commvault data breach, the company has reassured customers that there was no unauthorized access to backup data. “Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects,” said Danielle Sheer, Chief Trust Officer, in an April 27 update. She also confirmed no material impact on operations or service delivery.
The cyberattack on Commvault affected a small number of customers it shares with Microsoft. Commvault works with two leading cybersecurity firms and cooperates with the FBI, CISA, and other authorities.
Security Enhancements and Recommendations
Commvault has implemented multiple security improvements to mitigate risks, including enhanced key rotation and advanced monitoring rules. Updated best practices for securing Microsoft 365, Dynamics 365, and EntraID workloads configured with single-tenant app registrations have been shared.
Customers are advised to:
- Apply Conditional Access policies.
- Rotate and sync client secrets every 90 days.
- Monitor login activity for suspicious IP addresses.
- Known Malicious IP Addresses to Block
As part of the response to the Commvault data breach, the company has identified and shared a list of IP addresses linked to malicious activity:
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53
- 159.242.42.20
“These IP addresses should be explicitly blocked within your Conditional Access policies,” Commvault advised. Any detected activity from these sources should be reported immediately to SecurityAdvisory@commvault.com.
