In a significant breach attributed to the Chinese nation-state hacking group known as Silk Typhoon, Commvault’s Metallic Software as a Service (SaaS) platform has been compromised, raising alarms about vulnerabilities in cloud computing security. This group, linked to the Chinese government, has a history of targeting U.S. critical infrastructure, including networks associated with the Treasury Department. Microsoft’s threat intelligence categorized Silk Typhoon as a sophisticated nation-state actor, marking this incident as part of a broader cyber espionage campaign.
A major breach by the Silk Typhoon hacking group has compromised Commvault’s Metallic SaaS, highlighting serious cloud security vulnerabilities.
The breach exploited a zero-day vulnerability, identified as CVE-2025-3928, within the Commvault Web Server hosted on Microsoft Azure. With a severity rating of 8.7, the vulnerability allowed authenticated attackers to create web shells, granting them persistent access to the environment. Reports indicate that the flaw had gone unpatched for several months, enabling unauthorized exploitation since at least February 2025. Additionally, this incident is a part of a broader campaign targeting various SaaS companies, further highlighting the threat landscape organizations face. This incident coincided with a recent CISA warning highlighting the urgent need for organizations to follow security best practices and strengthen their defenses. Similar to the Alert Logic monitoring implemented by WebTPA, continuous surveillance has become crucial for detecting and preventing such sophisticated attacks.
As a consequence, CISA has since included this zero-day in its Known Exploited Vulnerability catalog to prompt organizations for urgent remediation.
Focusing on the SaaS environment, the attack primarily targeted Commvault’s Metallic SaaS, a backup solution for Microsoft 365 hosted on Azure. Consequently, attackers potentially compromised multiple M365 application credentials, providing unauthorized access to sensitive data. The breach illustrated the risks SaaS providers face because of commonly exploited raised permissions and default cloud configurations.
The timeline for detection and public disclosure began when Microsoft alerted Commvault in February 2025 regarding suspicious activity.
Nevertheless, public revelations concerning the breach and associated vulnerabilities only materialized in May 2025, following extensive investigations. This delay allowed the attacker’s activities to continue undetected, prompting subsequent warnings from CISA to organizations using Commvault Metallic to bolster their defenses.
