Commvault has confirmed that a zero-day vulnerability in its software was exploited by a suspected nation-state actor, leading to targeted activity in its Azure environment.

The issue, now tracked as CVE-2025-3928, was added this week to CISA’s Known Exploited Vulnerabilities catalog and carries a CVSS score of 8.7.

The flaw allows attackers to remotely create and execute webshells, enabling full system compromise on affected instances. According to Commvault, the vulnerability impacts versions 11.x prior to 11.36.46, 11.32.89, 11.28.141, and 11.20.217. Patches were released in late February 2025 for both Windows and Linux environments.

Commvault says it was notified by Microsoft on February 20 about suspicious activity. A forensic investigation revealed that the threat actor had exploited the bug before Commvault became aware of the attacks. The company initially disclosed the incident in early March, noting that the attack did not impact customer backup data, nor did it have a material effect on business operations or their ability to serve customers.

In an April 29 update, Commvault shared that the breach affected a small number of customers shared with Microsoft. It is currently working with those organizations to provide support and assess further risk.

As part of its response, Commvault has:

• Reported the incident to authorities
• Improved key rotation policies
• Enhanced detection and monitoring capabilities

The company has also published indicators of compromise (IoCs) to help defenders hunt for signs of exploitation tied to CVE-2025-3928. Specifically, it has identified five IP addresses used in the attack and advised customers to block them and monitor Azure sign-in logs for any related activity.

In addition, Commvault recommends implementing Conditional Access policies across Microsoft 365, Dynamics 365, and Azure AD, and to rotate secrets between Azure and Commvault every 90 days.

While no known ransomware group has claimed credit, this is yet another clear example of targeted attacks exploiting zero-days in enterprise software, and it underscores how coordinated actors continue to leverage trusted third-party environments to gain access.