Commvault CVE-2025-3928 Targeted by Attackers

Attackers have targeted an unspecified vulnerability that exists in several versions of the Commvault Web Server and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog. 

The bug is something of a mystery, though. Commvault published an advisory on March 7 saying that Microsoft had advised the company about unauthorized activity within its Azure environment on Feb. 20. Microsoft attributed the activity to a nation-state actor and Commvault started an investigation to determine the extent of the intrusion. 

“Our investigation validated that unauthorized access affected a handful of customers and we promptly contacted them to provide assistance. Our investigation also confirmed there was no unauthorized access to any data that Commvault protects for any customer, and no impact on Commvault’s business operations or ability to deliver our products and services,” the company said in March.

Since then, Commvault has continued its investigation into the vulnerability (CVE-2025-3928) but has not released any new details about the vulnerability itself. 

“Based on new threat intelligence, we continue to investigate recent activity by a nation-state threat actor contained within our Azure environment. This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” Daniel Sheer, the chief trust officer at Commvault, said. 

“Our forensic investigation discovered that the threat actor exploited a zero-day vulnerability, which has been patched and we encourage our software customers to do the same. We also rotated affected credentials, continue to further harden our defenses and work with law enforcement.”

Commvault said that an attacker needs legitimate user credentials within the Commvault Software environment in order to exploit the flaw. The fixed versions of the software are 11.36.46, 11.32.89, 11.28.141, and 11.20.217 on both Windows and Linux.