Commvault confirms no customer data compromised in nation-state cyberattack on Azure environment

Commvault, a NASDAQ-listed provider of data protection and cyber resilience solutions, has confirmed that a recent cyberattack by a nation-state threat actor did not compromise customer backup data or materially affect its business operations.

The company, which supports more than 100,000 organizations globally and is part of the S&P MidCap 400 Index, disclosed the security incident on March 7, 2025. According to the company, the breach was initially identified following a February 20 notification from Microsoft regarding suspicious activity in Commvault’s Azure cloud environment.

In an official update released Wednesday, Danielle Sheer, Commvault’s Chief Trust Officer, reiterated that no unauthorized access to stored customer backup data occurred and that the incident had no significant operational impact. “Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services,” Sheer stated.

Commvault has since engaged two prominent cybersecurity firms to assist with the investigation and is coordinating with relevant authorities, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).

Further investigation determined that only a small number of customers were affected by the breach. The threat actor reportedly exploited a zero-day vulnerability, now identified as CVE-2025-3928, within the Commvault Web Server software. The flaw, which has since been patched, could allow remote authenticated attackers with limited privileges to deploy webshells on vulnerable servers.

Following the incident, Commvault released a support advisory detailing recommended security measures. These include applying Conditional Access policies to all Microsoft 365, Dynamics 365, and Azure Active Directory single-tenant application registrations, as well as continuously monitoring sign-in activity to detect login attempts from unauthorized IP addresses. The company also advises rotating and synchronizing client secrets between Commvault systems and the Azure portal every 90 days.

“If any unauthorized access is detected, immediately report the incident to Commvault Support for further investigation and remediation,” the advisory said.

On April 28, CISA added the CVE-2025-3928 vulnerability to its Known Exploited Vulnerabilities Catalog. In accordance with Binding Operational Directive 22-01, issued in November 2021, federal agencies are now required to secure their Commvault installations against this vulnerability by May 19, 2025. CISA emphasized the significant risk such vulnerabilities pose, particularly as common entry points for malicious cyber actors targeting government systems.