In this episode, we take a deep dive into CVE-2025-3928—a critical vulnerability in the Commvault Web Server that enables remote attackers to deploy and execute webshells after obtaining valid credentials. This flaw, rated 8.8 on the CVSS 3.1 scale, was exploited as a zero-day by a suspected nation-state actor in February 2025 to breach Commvault’s Azure cloud environment.
We unpack how the attack unfolded, what made this vulnerability so dangerous, and why the breach didn’t impact customer backup data but still triggered major concern across the cybersecurity community. The discussion also covers how webshells work, why authenticated access was a key part of the exploit chain, and the steps Commvault took to contain and remediate the breach.
You’ll also learn what it means when CISA adds a CVE to its Known Exploited Vulnerabilities (KEV) catalog, and what agencies—and private enterprises—should do in response. We’ll explore Commvault’s guidance around patching, credential rotation, IP blocklists, and how Conditional Access Policies in Azure AD/Entra ID can mitigate similar attacks in the future.
Finally, we’ll look at the broader implications of the incident, including the role of cybersecurity incident response planning (CSIRP) and the increasing use of zero-trust models to defend cloud workloads against sophisticated actors.
