CISA calls for swift patching: The high-severity flaw (CVSS 8.7 out of 10) affecting Commvault Web Server allowed bad actors to create and execute webshells within compromised environments. On 28 April 2025, CISA added the three vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV), giving FCEB agencies until 19 May 2025 to patch their systems under the directive to remediate dangerous vulnerabilities across civilian agencies.The company fixed the flaw promptly after being flagged by Microsoft in February. Fixes were rolled out in Commvault versions 11.36.46, 11.32.89,11.28.141, and 11.20.217.CISA recommended that organizations immediately apply patches along with additional mitigations, which include monitoring and reviewing Microsoft Entra audit logs, Entra sign-in, and unified audit logs, implementing a conditional access policy to limit authentication within single-tenant applications, and rotating application secrets and credentials on Commvault Metallic applications.Omri Weinberg, CEO at DoControl, connects the incident to a broader trend. “Attackers are pivoting from endpoint and network-based attacks to exploiting over-permissioned SaaS environments and misconfigured cloud applications,” Weinberg said. “Security teams need to treat SaaS with the same rigor as traditional infrastructure starting with strong access governance, continuous monitoring of third-party app integrations, and limiting the blast radius through least privilege access.” Internal investigation did not reveal any unauthorized access to customer backup data that Commvault stores and protects, the company had said in a statement in May, adding that it expects no material impact on Commvault’s business operations or its ability to deliver products and services.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3994999/cisa-flags-commvault-zero-day-as-part-of-wider-saas-attack-campaign.html
