Nation‑State Exploits Zero‑Day in Commvault’s Azure‑Hosted Metallic SaaS

In a disturbing escalation of cyberattacks targeting enterprise SaaS infrastructure, Commvault, one of the world’s most trusted names in backup and disaster recovery, confirmed that its Metallic SaaS platform was breached by an advanced nation-state threat actor. The attack exploited a previously unknown zero-day vulnerability (CVE-2025-3928) in Commvault’s internal web server, affecting its Microsoft Azure-hosted services.

Incident Summary

Commvault was alerted to unusual activity on February 20, 2025, by Microsoft’s internal threat intelligence team, which observed suspicious behavior in the company’s Azure environment. A forensic investigation revealed that attackers had exploited a zero-day vulnerability to deploy webshells and exfiltrate application secrets, which granted access to downstream Microsoft 365 (M365) tenant data in certain environments.

The affected platform—Metallic—is widely used by organizations for backup and recovery of cloud workloads including Microsoft 365, Salesforce, endpoints, and Azure data. This elevated the severity of the incident significantly, given the privileged position Metallic holds in customer ecosystems.