CISA issues advisory on cyber threats targeting Commvault’s Metallic SaaS platform

CISA Issues Advisory on Cyber Threats Targeting Commvault’s Metallic SaaS Platform

CISA issues advisory on cyber threats targeting Commvault’s Metallic SaaS platform

In a rapidly evolving digital landscape, cybersecurity remains a paramount concern for both private enterprises and public institutions. On May 20, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and other intelligence partners, issued an urgent advisory regarding active cyber threats targeting Commvault’s Metallic SaaS (Software-as-a-Service) platform. This alert underscores the growing sophistication of threat actors and the increasing risks associated with cloud-based data protection services.

What is Commvault Metallic?

Commvault’s Metallic is a cloud-based data protection platform designed to offer backup, recovery, and data governance solutions to businesses of all sizes. As a SaaS offering, Metallic eliminates the need for on-premises infrastructure and simplifies data protection across endpoints, applications, and hybrid cloud environments. Given its critical role in safeguarding sensitive corporate and institutional data, Metallic has become an attractive target for cybercriminals and state-sponsored attackers.

Nature of the Threat

According to the CISA advisory, the attack campaign involves unauthorized access attempts aimed at exploiting vulnerabilities in exposed instances of the Metallic Control Plane. The threat actors are reportedly using phishing tactics, credential stuffing, and API abuse to infiltrate customer environments. Once inside, they may deploy data exfiltration tools, initiate ransomware encryption, or establish persistent access for long-term surveillance and exploitation.

The advisory does not point to a specific Advanced Persistent Threat (APT) group but indicates that the tactics, techniques, and procedures (TTPs) observed are consistent with nation-state level capabilities.

Attack Vectors: 

CISA identified the following primary vectors being leveraged:

1. Misconfigured Access Controls – Several organizations had improperly set permissions on their Metallic interfaces, allowing for privilege escalation and lateral movement.

2. Unpatched API Endpoints – Older versions of the Metallic API stack were exposed without the latest security patches, creating open doors for exploitation.

3. Weak Multi-Factor Authentication (MFA) – In cases where MFA was implemented, threat actors exploited poorly configured systems or intercepted one-time passwords via social engineering.

4. Lack of Geo-fencing – Attackers successfully accessed accounts from high-risk geographic locations where access could have been easily blocked using geo-fencing protocols.

CISA’s Recommendations

To mitigate the risks associated with these threats, CISA has urged all organizations using Commvault’s Metallic platform to take immediate actions:

• Audit and Reconfigure Access Permissions – Ensure that only authorized users and systems can access backup environments. Use the principle of least privilege.

• Patch and Update – Apply the latest security patches provided by Commvault, especially for exposed APIs and management interfaces.

• Implement Robust MFA – Avoid SMS-based MFA where possible and instead use time-based or hardware token solutions.

• Monitor Network Logs – Use SIEM (Security Information and Event Management) tools to track and analyze anomalies in login patterns, IP access locations, and data transfer volumes.

• Restrict External Access – Employ geo-fencing and VPN enforcement to minimize attack surface from external sources.

Why This Matters

The targeting of data protection platforms like Metallic represents a disturbing evolution in cyber threat strategies. Instead of attacking the primary data sources, malicious actors are increasingly focusing on backup systems, understanding that compromising these can paralyze an organization’s recovery capabilities. It also enables attackers to destroy the last line of defense against ransomware.

Commvault, for its part, has released a statement acknowledging the threats and confirmed that they are working closely with law enforcement and cybersecurity agencies to contain and neutralize ongoing attacks. The company has also issued a series of emergency updates and enhanced its security guidelines for customers.

The Bigger Picture

This advisory fits into a broader trend where SaaS platforms are becoming prime targets. As more enterprises shift operations to the cloud, attackers follow the data. The CISA warning serves as a reminder that cloud security is a shared responsibility, and organizations must be proactive in maintaining strong security postures even when using third-party platforms.

With the proliferation of sophisticated cyber threats, vigilance is not optional—it’s essential. The CISA’s advisory on threats targeting Commvault’s Metallic platform is a wake-up call for IT administrators and cybersecurity professionals. Regular audits, timely patching, strong identity management, and well-configured cloud environments can mean the difference between resilience and a catastrophic breach. As always, staying informed and prepared remains the best defense.