Commvault Metallic Microsoft 365 Breach & What to Do Next

TL;DR

On May 23, 2025, CISA issued an urgent advisory after nation-state attackers exploited a zero-day in Commvault’s Metallic Microsoft 365 backup SaaS platform. If your organization uses Commvault for M365 integration, you should review credential activity, reduce permissions, and monitor for suspicious behavior immediately. While the direct risk is limited to Commvault customers, this incident is part of a rising wave of third-party SaaS attacks. Every organization should take this moment to evaluate how secrets and permissions are managed across their cloud ecosystem.

Read on for a rapid response plan and deeper guidance on defending your SaaS environment.

If you are an existing Vorlon customer, click here for the playbook. 

What happened: Targeted attack on Commvault Metallic for Microsoft 365

CISA’s alert stems from an attack on Commvault’s Metallic backup platform, hosted in Microsoft Azure. Threat actors exploited a zero-day vulnerability (CVE-2025-3928) in the Commvault web server, allowing them to create web shells and gain unauthorized access. Critically, the attackers may have obtained client secrets (application credentials) that Commvault maintains for some customers to connect to their Microsoft 365 (M365) environments.

Commvault reports that no customer backup data was compromised, but some application secrets were potentially exposed. These credentials could allow attackers to access or manipulate customer M365 data, depending on granted permissions.

Who is at immediate risk?

• Commvault Metallic M365 backup customers, especially those whose app credentials are managed or stored by Commvault.

Who is not directly impacted by this incident?

• Organizations that do not use Commvault’s Metallic backup for M365, or do not have app secrets managed by Commvault, are not in the blast radius of this specific attack.
  
  

First steps for Commvault Metallic M365 backup customers

If your organization uses Commvault’s Metallic (or similar SaaS backup connectors for Microsoft 365), take these immediate steps:

1. Review and Rotate Credentials

• Identify all app secrets Commvault manages for your M365 tenant.
• Rotate these secrets immediately, even if you haven’t been directly notified.
• Establish regular credential rotation as a best practice.

2. Monitor for Unauthorized Activity

• Check Microsoft Entra audit logs for:
  • New or unexpected credentials added to service principals.
  • Changes to application registrations initiated by Commvault service principals.
  • Sign-ins from unexpected IP addresses.
• Review unified audit logs for unusual data access or privilege changes.

3. Audit and Limit Permissions

• Audit all service principals and app registrations.
• Remove excessive privileges or admin consents that aren’t strictly necessary.
• For single-tenant apps, restrict authentication to approved IP ranges (such as those used by Commvault).

4. Harden Access to Management Interfaces

• Restrict Commvault management interfaces to trusted networks.
• Remove unnecessary external access to backup or SaaS admin panels.

5. Strengthen Web App Security

• Deploy a Web Application Firewall (WAF) to block path traversal and suspicious uploads.
• Monitor for web shells or unusual scripts.

6. Coordinate with Vendors

• Contact Commvault and Microsoft for recommended actions, updates, or indicators of compromise.

Customer playbook: Commvault/M365 breach

For Vorlon customers using Microsoft 365 with Commvault backup

First, for a quick assessment of your status, filter by M365, look for alerts and insights. Open the alert, collect the insight, and follow the actions in the response section (or ask our MCP AI server) to remediate against potential risk. For more in depth investigation, we recommend you to: 

1. Check for Unusual Commvault Activity

• Use Vorlon to review recent sign-ins and API actions by the Commvault service principal.
• Look for logins from unknown IPs/IoCs or any changes to Commvault credentials since the breach notification.

2. Review and Reduce Commvault Permissions

• Audit the permissions and access levels of Commvault in your Azure AD.
• Remove excessive permissions and rotate/revoke credentials that aren’t needed.

3. Monitor and Respond to Anomalies

• Extend Vorlon's existing alert capability to detect any suspicious MS365 data access or unusual behavior from the Commvault integration.
• If anything looks off, immediately revoke access directly from Vorlon and contact Customer Success for help.

Questions or concerns?
Reach out to Vorlon Customer Success any time. We’re here to support you.

The broader lesson: SaaS ecosystem security is everyone’s business

CISA’s advisory points to a larger trend:

• Attackers are targeting SaaS integrations, machine identities, and application secrets, not just end-user passwords.
• Stolen or poorly managed app secrets (API keys, OAuth tokens) can grant attackers broad access, often with more power than a human user.
• Default configurations and excessive permissions in third-party SaaS tools multiply the potential impact of a compromise.

Even if you don’t use Commvault, ask yourself:

• Do you know which third-party vendors have access to your cloud environments?
• Can you quickly rotate or revoke their access if there’s a breach?
• Are your app secrets and service principal permissions regularly reviewed and restricted to “least privilege”?
  
  

How Vorlon helps you see and secure the whole picture

The Commvault incident underscores why SaaS ecosystem security needs to evolve beyond point-in-time audits and manual reviews:

• Continuous monitoring of SaaS integrations and machine identities:
  Vorlon maps which apps, service principals, and secrets touch your sensitive data across your entire SaaS environment.
• Real-time detection of suspicious activity: Identify anomalies like new credentials, changed permissions, or unusual data flows.
• Secrets hygiene and rapid incident response: Instantly surface over-permissive or stale secrets and rotate or revoke them in two clicks.
• Blast radius assessment: When a vendor (like Commvault) is breached, Vorlon helps you trace what could be exposed, who is affected, and how to respond.

Bottom line

If you are a Commvault Metallic M365 backup customer, take action now. If you aren’t, use this moment to review the security of your SaaS integrations, secrets, and third-party permissions.

Attackers are moving beyond phishing and brute force. They’re exploiting the invisible web of machine identities, app secrets, and integrations that power modern SaaS.

The right visibility and controls can turn a potential crisis into a manageable incident.

Worried about SaaS integration risk? Let’s talk.

About the author

Anil Agrawal
Security Researcher at Vorlon

Anil Agrawal is a security researcher at Vorlon specializing in SOC optimization and has over eight years of experience in cybersecurity. Before joining Vorlon, he served as a Solutions Architect at Palo Alto Networks, where he designed advanced automation solutions and cybersecurity strategies for Fortune 500 clients. His career includes technical roles at Syracuse University, where he streamlined incident response processes and conducted malware analysis. Anil holds a Master’s degree in Management Information Systems from Syracuse University with a specialization in Information Security Management. Passionate about mitigating third-party application risks, he focuses on pioneering R&D to address evolving cybersecurity challenges. Connect with Anil on LinkedIn to explore collaborations in security innovation and stay updated on his latest contributions.