Company Announcement Notice: Security Advisory (Update) This post is part of our ongoing commitment to protect customers and share threat intelligence with the cybersecurity community. By Danielle Sheer, Chief Trust Officer | May 4, 2025 What HappenedOn February 20, 2025, Microsoft began notifying us regarding unauthorized activity by a nation-state threat actor based on their visibility within Azure environments. Commvault immediately launched an investigation with the assistance of leading cybersecurity experts and published a security advisory. We are working with appropriate authorities and known targeted customers as information becomes available to us. In April, Microsoft provided new threat intelligence and we published an update to the security advisory. What’s NewBased on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments. Our investigation to date indicates this threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments. In response, Commvault has taken several remedial actions detailed below, including rotating credentials. Commvault continues to update indicators of compromise (IOCs) to enable customer investigations within their M365 environments. Our investigation reveals there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.What We’re Doing to Protect Customers: Rotating app credentials for M365 managed by Commvault and enhancing security monitoring. Updating security advisories, best practices, and IOCs. Providing optional configurations aligned with Microsoft’s latest security recommendations. Furthering responsible vulnerability disclosure and patching, specifically for CVE-2025-3928 which is the known CVE to date related to this security advisory. Continuing our investigation as we receive threat intelligence. Recommended Actions for Customers: For Saas customers who have deployed custom applications Rotate app credentials for M365 used by Commvault as soon as possible. Revalidate registration for proper scoping and permissions. Apply conditional access policies on any single tenant app in use. Enforce least-privilege access with tightly scoped permissions. Stay up to date with Microsoft threat bulletins and Commvault updates. Review EntraID audit logs using the IOCs. Customers with questions can contact us at SecurityAdvisory@commvault.com. More related posts Company Announcement Notice: Security Advisory (Update) Apr 27, 2025 View Notice: Security Advisory (Update) Commvault Commvault COE Wins GPTW Certification for the 8th Consecutive Time Jan 24, 2025 View Commvault COE Wins GPTW Certification for the 8th Consecutive Time Cloud Embracing Disruption, Not Adding to It Dec 10, 2024 View Embracing Disruption, Not Adding to It