Enterprise data backup provider Commvault has confirmed that a nation-state threat actor breached its Microsoft Azure environment using a previously unknown zero-day vulnerability (CVE-2025-3928). The company, said that there is no evidence of unauthorized access to customer backup data or disruption to its operations.
In a security update, Commvault said the breach was limited in scope and impacted a small number of customers shared with Microsoft. The company is working closely with those customers to provide assistance and further mitigate risks.
“Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services the company,” said.
The disclosure follows a notification from Microsoft on February 20, alerting Commvault to suspicious activity within its Azure cloud environment. The attack was later confirmed to involve the exploitation of CVE-2025-3928 as a zero-day vulnerability. Commvault has since rotated compromised credentials and implemented additional security measures.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog.
Meanwhile, SonicWall has confirmed that two critical vulnerabilities affecting its Secure Mobile Access (SMA100) appliances are being actively exploited in the wild.
One of the flaws is CVE-2023-44221, a command injection issue that allows a remote user with administrative privileges can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
The second vulnerability is CVE-2024-38475, a flaw in Apache’s mod_rewrite that can be exploited to access restricted file paths, potentially leading to session hijacking.
Both vulnerabilities affect SMA 100 Series devices, including models 200, 210, 400, 410, and 500v. Fixes were issued in: version 10.2.1.10-62sv (Dec. 4, 2023) for CVE-2023-44221 and version 10.2.1.14-75sv (Dec. 4, 2024) for CVE-2024-38475.
On April 29, SonicWall updated its advisories, confirming exploitation in the wild and urging customers to inspect devices for signs of unauthorized logins.
“During further analysis, SonicWall and trusted security partners identified that 'CVE-2023-44221 - Post Authentication OS Command Injection' vulnerability is potentially being exploited in the wild,” the advisory said.
Similarly, the company noted that “during further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking.”
It’s currently unclear what threat actor is behind the exploitation and the scale of attacks also remains unknown.
