Commvault confirms a state-sponsored cyberattack on its Azure environment but assures no compromise of customer backup data.
Commvault, a major provider of data protection and cyber resilience solutions, has confirmed a recent security breach in its Azure environment. The incident, attributed to a nation-state threat actor, was first detected after a February 20 alert from Microsoft. However, Commvault reassures that the breach did not affect customer backup data or disrupt business operations.
The company, which serves over 100,000 organizations and is listed on NASDAQ, stated that its core data protection services remain intact and secure.
According to Commvault's investigation, only a small number of customers were affected, and the attack had no material impact on products or services. The threat actor exploited a now-patched zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server software. The flaw allowed remote, low-privilege authenticated attackers to install webshells on vulnerable servers.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog, requiring all federal agencies to secure affected Commvault software by May 19, 2025, under Binding Operational Directive 22-01.
Commvault is actively collaborating with two cybersecurity firms and is in contact with federal authorities, including the FBI and CISA.
Chief Trust Officer Danielle Sheer stated: “Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.”
In its support documentation, Commvault also shared technical guidance to defend against similar intrusions. These include enforcing Conditional Access policies across Microsoft cloud services, monitoring for abnormal sign-ins, and rotating client secrets every 90 days.
“If any unauthorized access is detected, immediately report the incident to Commvault Support for further investigation and remediation,” the company advised.
While Commvault's customer data was reportedly untouched, the incident reinforces how quickly attackers can leverage newly discovered flaws to gain a foothold. For federal agencies and businesses alike, the case serves as a reminder of the importance of proactive patching, identity monitoring, and secure cloud configurations. As cyberattacks grow more targeted and sophisticated, transparency and rapid coordination, like that shown by Commvault, are becoming required elements of effective incident response.
Nation-state groups often go after infrastructure providers because breaching a single vendor can offer indirect pathways into hundreds of downstream organizations.
Complex cloud environments can have misconfigurations or unpatched zero-days that attackers exploit to gain persistence, often before detection tools flag any anomalies.
It compresses response timelines, organizations must treat patching, access controls, and monitoring as urgent, continuous processes, not scheduled checkboxes.
It highlights the growing expectation for immediate transparency, coordination with federal agencies, and fast technical guidance; silence is no longer an option.
Yes. Confidence hinges not just on data integrity but also on how a company responds, proactive disclosure, and visible containment are now core to brand resilience.