China Commvault Treasury Feb thru Sept or more

They then found the method in Commvault's code used to decrypt passwords, and used it against the retrieved admin password to log in as that admin. Notably, during watchTowr's version of the disclosure timeline, Commvault originally pushed back on this bug, saying it couldn't be feasibly exploited in real-world scenarios.

The vendor argued the flaw was impractical, which may explain why the make-me-admin bug carries the lowest severity score (5.3) of all four vulnerabilities, namely because of the conditions that highly limit the exploitability.

Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets.

For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets