The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about ongoing cyberattacks targeting SaaS platforms and cloud infrastructures, following reports from Commvault of unauthorized access to client secrets in its Azure-hosted Microsoft 365 backup service. Threat actors exploited a zero-day vulnerability CVE-2025-3928 in Commvault’s web server, allowing remote attackers to execute malicious web shells and access app credentials. The campaign is suspected to be part of a broader wave of nation-state activity targeting SaaS providers with weak configurations and excessive permissions.

CISA and Commvault have taken remediation steps, including rotating app credentials and enhancing Azure Entra monitoring. The agency advises organizations to review audit logs, apply conditional access policies, restrict administrative interfaces, and deploy web application firewalls to prevent exploitation. This incident underscores the growing risk to multi-tenant SaaS ecosystems, urging enterprises to reinforce identity management, audit controls, and cloud access policies to protect sensitive business data.