Commvault Metallic Vulnerability (CVE-2025-3928) Exposed OAuth Credentials

Backup applications are designed to protect your data, but when over-permissioned, they can become high-value targets for threat actors. I’ve been co-presenting an Entra ID App Governance webinar series about the potential dangers of Entra ID (formerly Azure AD) App registrations that may have significant abilities to perform functions on your data, due to the permissions they contain. In this article, I’m going to break down a real-world exploit using a well-known backup application. Ironically, many of the real-world applications I used in my webinar demos, highlighting potentially over-permissioned apps, were backup applications themselves. By understanding how these vulnerabilities and breaches take place, we can all be better prepared to close security and governance gaps. 

Summary of Commvault Metallic Vulnerability 

On February 20, 2025, Microsoft notified Commvault about unauthorized activity within its Azure environment by a suspected nation-state threat actor. Attackers exploited a zero-day vulnerability (CVE-2025-3928) in the web server underpinning Commvault’s Metallic SaaS platform, used for Microsoft 365 backups.  

The vulnerability allowed attackers to deploy web shells after authenticating, which in turn gave them access to stored client secrets. That opened the door to unauthorized access into customers’ Microsoft 365 environments. Customer data including OAuth credentials and the data in downstream Exchange, SharePoint, Teams, and Dynamics 365 data was at risk. 

Who is being exploited? 

I’ll start by calling out the terms and the parties for the rest of this article:  

Commvault is a long-standing player in enterprise backup and recovery. Known for their software and services around data protection, including Commvault Metallic, their managed SaaS offering. It is backup-as-a-service, hosted in Microsoft Azure, designed for workloads like M365, Azure Virtual Machines, Salesforce, and more. 

CVE-2025-3928 is the identifier assigned to a zero-day vulnerability, meaning it was exploited before there was a patch for it. It affected Metallic, and it was used in the wild by a nation-state actor. 

CISA is the U.S. Cybersecurity and Infrastructure Security Agency. On 22 May 2025, CISA published an updated advisory warning that threat actors had been actively exploiting this flaw in Commvault’s SaaS platform.  

Commvault Metallic Vulnerability Details: CVE-2025-3928 

Threat actors exploited the zero-day (CVE-2025-3928) to gain unauthorized access to Commvault’s internal infrastructure, including components tied to Metallic. Once in, they gained access to customer M365 service principal credentials.  

You’ll note here that Commvault uses separate Client Secrets as the credentials required to manage access to Exchange Online, OneDrive for Business, SharePoint Online, and Dynamics 365. However, that describes only the credentials used within your own tenant. Metallic is a cross-tenant application, meaning that once Commvault’s tenant was compromised, downstream customer tenants also were in scope for attackers to access. 

The Impact 

OAuth Credentials are the way Metallic accesses a customer's M365 tenant for backup; essentially, they are tokens granting programmatic access to Exchange Online, SharePoint, OneDrive, Teams, etc. In many cases, these were: 

• Over-permissioned - Mail.ReadWrite, Files.Read.All, and Sites.Read.All 

• Long-lived, many with no expiry or rotation 

• Stored for use by Commvault’s backup engine 

Once attackers obtain these, they gain durable, high-privilege, impersonation-level access to tenants and data. With access to the M365 service principal, they could use the Microsoft Graph API to enumerate tenants, users, and any connected apps, depending, of course, on how generous the granted scopes were and how the tenant was configured. 

For affected customers, it isn’t just a risk to Exchange or SharePoint. It’s a potential bridgehead into other registered third-party platforms like Salesforce, ServiceNow, Box, etc. Since attackers can act as the application, their resultant activities tend to blend in and are hard to discern.  

Most monitoring and alerting focuses on user activity, such as logins, MFA, and suspicious travel. Application-to-application activity, Service principal tokens doing what they’re “supposed” to do, tends to fly under the radar. 

For most customers, the real issue is the limited visibility into what our applications and service principals are up to. Attackers' activities blending into other normal behavior are known as masquerading or living off the land attacks. 

Commvault’s Response 

To their credit, Commvault has published several advisories and updates: 

• Technical detail and CVE disclosure: CVE-2025-3928 Security Advisory 

• Initial advisory: Security Advisory – March 7, 2025 

• Follow-up updates and customer guidance: 
  • Security Advisory Update - April, 27, 2025
  • Security Advisory Update - May 4, 2025 

In response to the breach, Commvault has patched affected components, rotated credentials, and issued guidance for regenerating service principals. Commvault now recommends using modern OAuth scopes with expiry limits going forward. 

What about my backup vendor? 

The Commvault attack is a supply chain attack, wherein a downstream component was compromised to gain upstream access to further application components. What about your backup vendor?  

Scrolling through the Application permissions for your vendor's backup application, you may find permissions like the picture below, via your Entra administration blade: 

A casual look through any of these permissions, which are un-scoped and therefore tenant-wide, should cause some concern, due to the nature and the reach of these permissions. 

You’ll further notice that for most of the applications, the Enterprise Application Owners field is empty, which means that any attacker who takes ownership of the Enterprise Application can now act with impunity as that Application.  

Mitigation Steps for Microsoft 365 Backup App Vulnerability 

1. Check for signs of compromise. 
   Review audit logs in Microsoft Entra for anomalous access patterns or behavior linked to your backup service principals. Are your applications doing what applications should be doing, or are they acting like humans? Have you enabled your audit logs? 
   
   
2. Rotate your credentials. 
   Immediately revoke and re-authorize Metallic’s M365 access using fresh service principals with minimal scopes and expiry.
    
3. Limit permissions. 
   Where possible, use fine-grained OAuth scopes and Conditional Access policies to contain the blast radius. You may need to gain guidance from your vendor (who may not know how to answer your questions) to avoid breaking the application. 
   
   
4. Review third-party app governance.
   Not only your backup applications, but all of your SaaS application integrations using service principals must be reviewed. Learn more about Entra ID App Governance from the AppGov Community. 

We must gain an understanding of the risk surface when we entrust our core platforms, like Microsoft 365, to backup services. Metallic’s value proposition, as well as other backup vendors, hinges on delegated access. That delegation must be scoped, monitored, and revocable since once those tokens are out in the wild, they’re keys to the kingdom. 

Key Takeaways 

• Threat actors exploited CVE-2025-3928 in Commvault Metallic to access Microsoft 365 credentials 
• Backup apps often have high-risk, over-permissioned access 
• Customers must review and rotate service principals regularly 
• ENow’s tools simplify detection of risky apps across Entra ID 
  
  

How does ENow App Governance Accelerator help? 

While trawling through each application in your Entra Tenant is an option, several prepared reports in App Governance Accelerator will kickstart your journey, including Enterprise Applications: Enterprise Applications with API Permissions, Risk Analysis, and Ownerless Apps, among others. 

Each of these reports is filterable, allowing you to catalog and understand your risk exposure, down to each individual permission. 

Concerned about over-permissioned backup apps in your Microsoft 365 tenant? 

ENow’s App Governance Accelerator helps you uncover app risks fast and strengthen your application governance posture. 

✅ Quickly identify high-risk applications 
✅ Filter by API permissions and scopes 
✅ Pinpoint apps with no assigned owners or expiring credentials 

🔍 Don’t wait for an incident. Start your Entra ID AppGovernance risk assessment now with ENow AppGov Score and get a 7-day upgrade to App Governance Accelerator Standard to try it for yourself.