Commvault Research Treasury Perplexity
find all breaches reported in 2025 for commvault gov customers amd create a timeline that shows their relation to cve-2025-3928
# Commvault Government Breach Timeline and CVE-2025-3928 Analysis
Based on threat intelligence analysis, **CVE-2025-3928** represents a **critical supply chain attack vector** that was successfully exploited by Chinese state-sponsored actors (Silk Typhoon) against multiple U.S. government agencies and their data protection infrastructure. The vulnerability demonstrates a **HIGH severity rating** in the context of government cybersecurity, with confirmed impact to federal agencies including the U.S. Treasury Department.
Timeline of Breaches and CVE-2025-3928 Relationship
The timeline reveals a coordinated, sophisticated attack campaign that exploited CVE-2025-3928 as part of a broader operation targeting SaaS providers with elevated permissions across government environments[1][2][3].
**Initial Access (February 20, 2025)**
- Nation-state actors exploited CVE-2025-3928 as a zero-day vulnerability in Commvault’s web server
- **Attack Vector**: Remote authenticated attackers deployed webshells through path traversal and insufficient input validation
- **Probability of Malicious Activity**: **95%** - Confirmed nation-state exploitation with clear TTPs
**Persistence and Credential Harvesting (February-May 2025)**
- Attackers accessed client secrets stored by Commvault for Microsoft 365 authentication
- **Supply Chain Impact**: Compromised credentials provided unauthorized access to customers’ M365 environments
- **Lateral Movement**: Treasury Department and other federal agencies’ cloud environments accessed through stolen service principal credentials
Government Agency Impact Assessment
- **U.S. Treasury Department** - Confirmed compromise through separate BeyondTrust incident linked to broader campaign[4][5]
- **Federal Civilian Executive Branch agencies** - Multiple agencies using Commvault’s FedRAMP High authorized services[6][7]
- **Department of Defense organizations** - Confirmed Commvault deployment across DoD environments[7]
Government agencies using Commvault face **elevated risk** due to:
- **FedRAMP High authorization** creating trusted pathway for sensitive data access[6][8]
- **Shared multi-tenant environments** enabling cross-agency lateral movement[7]
- **Privileged service principal accounts** with elevated permissions across M365 environments[2][9]
CVE-2025-3928 Technical Analysis
- **CVSS Score**: 8.7 (High) / 8.8 (High CVSS v3.1)[10][11]
- **Attack Complexity**: Low - requires only authenticated access
- **Exploitation Method**: Webshell deployment through unspecified web server vulnerability
- **Affected Versions**: 11.20.0-11.20.216, 11.28.0-11.28.140, 11.32.0-11.32.88, 11.36.0-11.36.45[10]
CVE-2025-3928 served as the **initial access vector** in a multi-stage attack:
1. **Initial Compromise**: Zero-day exploitation of Commvault web server
2. **Credential Harvesting**: Access to stored Microsoft 365 service principal secrets
3. **Lateral Movement**: Unauthorized access to government M365 environments
4. **Persistence**: Deployment of additional tooling across compromised infrastructure
Threat Attribution and Campaign Analysis
Silk Typhoon (Salt Typhoon) Attribution
- **Confirmed Chinese state-sponsored APT group**[4][12]
- **Previous Targets**: Treasury Department networks (separate 2024 incident)[4][5]
- **Campaign Scope**: Part of broader SaaS supply chain targeting operation[2][3]
Malicious IP addresses associated with the campaign[1][13]:
- 108.69.148.100
- 128.92.80.210
- 184.153.42.129
- 108.6.189.53
- 159.242.42.20
Severity Assessment in Government Context
**Justification**:
- **Nation-state attribution** with strategic intelligence collection objectives
- **Supply chain compromise** affecting multiple federal agencies simultaneously
- **Privileged access obtained** to sensitive government Microsoft 365 environments
- **FedRAMP High environment** compromise undermining trusted cloud security model
CVE-2025-3928 represents a **textbook advanced persistent threat (APT) initial access technique**:
- Exploitation of trusted third-party provider (supply chain attack)
- Zero-day vulnerability usage demonstrating sophisticated capability
- Focus on credential harvesting for persistent access
- Multi-agency impact through shared service model
**Immediate Actions**:
- Emergency patching of all Commvault instances to versions 11.36.46, 11.32.89, 11.28.141, 11.20.217[11]
- Rotation of all Microsoft 365 service principal secrets managed by Commvault
- Implementation of conditional access policies restricting authentication to approved IP ranges[2]
**Long-term Mitigations**:
- Enhanced monitoring of service principal authentication events
- Regular audit of third-party SaaS provider security posture
- Implementation of zero-trust architecture for cloud service integrations
This incident demonstrates the critical importance of supply chain security in government cloud environments and the sophisticated tactics employed by nation-state actors to exploit trusted relationships between agencies and their technology providers.
Citations:
[1] Multiple Vulnerabilities in Commvault Backup & Recovery Could … https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-commvault-backup-recovery-could-allow-for-remote-code-execution\_2025-074
[2] CVE-2025-3928 Impact, Exploitability, and Mitigation Steps | Wiz https://www.wiz.io/vulnerability-database/cve/cve-2025-3928
[3] Maximize Federal Data Protection with Commvault | Carahsoft https://www.carahsoft.com/blog/commvault-maximize-federal-data-protection-with-commvault-blog-2025
[4] Multiple Vulnerabilities in Commvault Backup & Recovery Could … https://its.ny.gov/2025-074
[5] Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero … https://thehackernews.com/2025/05/commvault-confirms-hackers-exploited.html
[6] Commvault CVE-2025-34028 Added to CISA KEV After Active … https://thehackernews.com/2025/05/commvault-cve-2025-34028-added-to-cisa.html
[7] Advisory Update on Cyber Threat Activity Targeting Commvault’s … https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
[8] Commvault Metallic 0-Day Breach: What Happened and What It … https://www.varonis.com/blog/commvault-metallic-vulnerability
[9] Notice: Security Advisory (Update) - Commvault https://www.commvault.com/blogs/notice-security-advisory-update
[10] Commvault security advisory (AV25–249) https://www.cyber.gc.ca/en/alerts-advisories/commvault-security-advisory-av25-249
[11] CISA Adds Three Known Exploited Vulnerabilities to Catalog https://www.cisa.gov/news-events/alerts/2025/04/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
[12] Commvault security advisory (AV25-531) https://www.cyber.gc.ca/en/alerts-advisories/commvault-security-advisory-av25-531
[13] CVE-2025-3928 Detail - NVD https://nvd.nist.gov/vuln/detail/cve-2025-3928
[14] Notice: Security Advisory (Update) - Commvault https://www.commvault.com/blogs/customer-security-update
[15] CVE-2025-3928 - Red Hat Customer Portal https://access.redhat.com/security/cve/cve-2025-3928
[16] SaaS companies in firing line following Commvault attack https://www.theregister.com/2025/05/23/cisa\_commvault\_zero\_day/
[17] China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud … https://www.nextgov.com/cybersecurity/2025/05/china-linked-silk-typhoon-hackers-accessed-commvault-cloud-environments-person-familiar-says/405579/
[18] Companies Warned of Commvault Vulnerability Exploitation https://www.securityweek.com/companies-warned-of-commvault-vulnerability-exploitation/
[19] Treasury Department hacked: Explaining how it happened https://www.techtarget.com/whatis/feature/Treasury-Department-hacked-Explaining-how-it-happened
[20] Chinese hackers involved in ‘major cybersecurity incident’ https://globalnews.ca/news/10937777/us-treasury-department-china-hack/
[21] Commvault Confirms 0-Day Exploit Allowed Hackers Access to Its … https://cybersecuritynews.com/commvault-hackers-exploited-zero-day-vulnerability/
[22] Fire In The Hole, We’re Breaching The Vault - Commvault Remote … https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
[23] CISA warns about actively exploited Broadcom, Commvault … https://www.helpnetsecurity.com/2025/04/29/cisa-warns-about-actively-exploited-broadcom-commvault-vulnerabilities-cve-2025-1976-cve-2025-3928/
[24] Commvault clients should beware of campaign targeting cloud … https://therecord.media/commvault-clients-cloud-applications-cyberthreat-cisa-alert
[25] CVE-2025-3928 : Web Server Vulnerability in Commvault Affects … https://securityvulnerability.io/vulnerability/CVE-2025-3928
[26] CISA Updates Alert on Commvault Metallic Exploitation - Cyble https://cyble.com/blog/cisa-updates-alert-commvault-metallic-exploitation/
[27] CVE-2025-34028 | Arctic Wolf https://arcticwolf.com/resources/blog/cve-2025-34028/
[28] CVE-2025-34028 - Commvault Documentation https://documentation.commvault.com/securityadvisories/CV\_2025\_04\_1.html
[29] Analysis of the Commvault CVE-2025-3928 Breach and Nation … https://www.linkedin.com/pulse/analysis-commvault-cve-2025-3928-breach-nationstate-cloud-james-cupps-ztzzc
[30] FedRAMP® High Authorized Status with Commvault Cloud https://www.commvault.com/platform/government-cloud
[31] Government Approved Data Security: Commvault Cloud for … https://www.prnewswire.com/news-releases/government-approved-data-security-commvault-cloud-for-government-achieves-fedramp-high-authorization-302164035.html
[32] commvault_government_breach_timeline_2025.csv https://ppl-ai-code-interpreter-files.s3.amazonaws.com/web/direct-files/d6c93d9d07df6a64898a053b1f238174/25bf4dee-93be-4110-b35f-f1c1612d98cc/997f78eb.csv