![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] The Premium Python Programming PCEP Certification Prep Bundle (67% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Aleksey_Funtap_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_Sergey_Tarasov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Developing New Chips for Smart Glasses, Macs, AI Servers [Report]](https://www.iclarified.com/images/news/97269/97269/97269-640.jpg)
![Apple Shares New Mother's Day Ad: 'A Gift for Mom' [Video]](https://www.iclarified.com/images/news/97267/97267/97267-640.jpg)
![Apple Shares Official Trailer for 'Stick' Starring Owen Wilson [Video]](https://www.iclarified.com/images/news/97264/97264/97264-640.jpg)
Detecting Vulnerable Commvault Environments Within Azure Using KQL Query
Cybersecurity analysts are racing to respond to an active exploitation campaign targeting Commvault environments in Microsoft Azure through the recently identified CVE-2025-3928 vulnerability. This critical vulnerability, which enables authenticated attackers to compromise web servers through the creation and execution of webshells, has already been weaponized by a sophisticated nation-state threat actor and is now part […] The post Detecting Vulnerable Commvault Environments Within Azure Using KQL Query appeared first on Cyber Security News.
Cybersecurity analysts are racing to respond to an active exploitation campaign targeting Commvault environments in Microsoft Azure through the recently identified CVE-2025-3928 vulnerability.
This critical vulnerability, which enables authenticated attackers to compromise web servers through the creation and execution of webshells, has already been weaponized by a sophisticated nation-state threat actor and is now part of CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The CVE-2025-3928 vulnerability affects Commvault Web Server modules in all CommServe, Web Servers, and Command Center software deployments.
According to Commvault’s advisory, this vulnerability allows authenticated threat actors to compromise web servers by creating and executing webshells.
While exploitation requires authenticated credentials, attackers have successfully acquired and leveraged these credentials to facilitate intrusions.
“This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” Commvault stated in a recent update.
The company emphasized that there has been no evidence of unauthorized access to customer backup data, though investigations continue.
Detection Through KQL
Steven Lim of KQLWizard developed a KQL Query to detect potential compromise and mitigate damage before sensitive data is exfiltrated.
Security teams managing Azure environments with Commvault integrations can implement KQL queries to identify suspicious activities.
The query below leverages Azure Activity logs and SigninLogs to detect connection attempts from known malicious IP addresses associated with the exploitation campaign:
textlet CommVaultIOC = dynamic(["108.69.148.100", "128.92.80.210", "184.153.42.129", "108.6.189.53", "159.242.42.20"]);
let AzureActivityResult =
AzureActivity
| where TimeGenerated > ago(90d)
| where CallerIpAddress has_any(CommVaultIOC);
SigninLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(CommVaultIOC)
| union AzureActivityResult
This query creates a dynamic array containing IP addresses that Commvault has identified as related to malicious activity.
It then searches both Azure Activity logs and Signin logs for the past 90 days, filtering for any events where the caller IP address matches these known malicious addresses, effectively identifying potential compromise attempts.
Mitigations
CISA has mandated that Federal Civilian Executive Branch agencies apply patches for this vulnerability by May 19, 2025.
However, all organizations using Commvault products should immediately apply the fixes available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux platforms.
Beyond patching, Commvault recommends implementing Conditional Access policies for all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations. Additionally, organizations should:
- Rotate and sync client secrets between Azure portal and Commvault every 90 days.
- Explicitly block the identified malicious IP addresses in Conditional Access policies.
- Monitor sign-in activity for access attempts from outside allowlisted ranges.
- Report suspicious activities to Commvault Support immediately.
With nation-state actors actively exploiting CVE-2025-3928, organizations must prioritize detection and remediation.
The provided KQL query serves as a critical tool for security teams to identify potential compromises through Azure’s native logging capabilities.
By combining this detection mechanism with proper patching and enhanced security measures, organizations can significantly reduce their risk exposure while ensuring the integrity of their Commvault environments.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
The post Detecting Vulnerable Commvault Environments Within Azure Using KQL Query appeared first on Cyber Security News.
