Commvault has shared indicators of compromise (IoCs) associated with the exploitation of a vulnerability recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2025-3928 (CVSS score of 8.7), the unspecified security defect can be exploited remotely to create and execute webshells, which leads to the complete compromise of vulnerable instances.
The issue impacts Commvault software versions 11.x prior to 11.36.46, 11.32.89, 11.28.141, and 11.20.217, which were released in late February with the necessary patches for Windows and Linux.
While CISA added CVE-2025-3928 to KEV this week, the bug had been exploited as a zero-day before Commvault learned of attacks targeting it.
“On February 20, 2025, Microsoft notified us about unauthorized activity within our Azure environment by a suspected nation-state threat actor. [….] Our forensic investigation discovered that the threat actor exploited a zero-day vulnerability,” the company said in early March.
The incident did not affect backup data that Commvault stores for its customers, and the incident did not have a material impact on its business, nor on its ability to serve its customers.
“Based on new threat intelligence, we continue to investigate recent activity by a nation-state threat actor contained within our Azure environment. This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” the company said in an April 29 update.
Commvault says it has notified the relevant authorities of the attack, and that it has implemented improved key rotation measures, as well as stronger monitoring rules following the attack.
Additionally, it has shared best practices and IoCs to help organizations hunt for potential compromise associated with CVE-2025-3928’s exploitation.
The company has identified five IP addresses associated with the attacks on its Azure environment and has urged customers to block them, as well as to monitor their Azure login logs, to identify potential sign-in attempts from these IPs.
Commvault also recommends applying a Conditional Access policy to Microsoft 365, Dynamics 365, and Azure AD, and rotating secrets between Azure and Commvault every 90 days.
“In addition to applying Conditional Access policies, it is recommended to regularly monitor sign-in activity to detect any access attempts originating from IP addresses outside of the whitelisted range. This can help quickly identify potential security breaches or account compromises,” the company says.
Related: Grafana Flaws Likely Targeted in Broad SSRF Exploitation Campaign
Related: Critical PHP Vulnerability Under Mass Exploitation
Related: Huntress Documents In-The-Wild Exploitation of Critical Gladinet Vulnerabilities
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions