CISA Warns of Growing Threats to SaaS Applications with Weak Security

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning highlighting a growing threat to software as a service (SaaS) providers, reports Connor Jones in The Register.

Providers using cloud applications with default settings and elevated permissions are at the highest risk. Although no specific threat actor has been named, the alert follows recent disclosures by Commvault regarding unauthorized access to its Azure environments.

CISA cautions that this threat may be part of a broader campaign targeting cloud-based services and urges organizations to follow its security recommendations to mitigate risks.

Commvault revealed Microsoft notified it in February about suspected nation-state actors breaching its systems via a zero-day vulnerability, now cataloged as CVE-2025-3928.

Although details are sparse, the exploit enables attackers with valid credentials to create and execute malicious web shells. While the breach did not impact customer data or Commvault’s operations, the attackers aimed to steal credentials that would enable access to Microsoft 365 environments.

CISA later confirmed the vulnerability was used to infiltrate Commvault’s Azure-hosted M365 backup solution, affecting customers who stored application secrets within the service.

The advisory emphasizes that attackers exploited application misconfigurations and elevated permissions to expand access. Microsoft Entra logs, especially audit and sign-in logs, are instrumental in detecting unauthorized activity or credential tampering.

CISA recommends setting IP-based conditional access policies, rotating credentials for affected applications, and reviewing admin privileges to limit unnecessary access.

Legal entities using SaaS providers must regularly audit permissions, ensure secure configurations, and closely monitor for signs of intrusion. Partnering with vendors that offer transparency, robust patching processes, and detailed logging capabilities is essential for maintaining client trust and ensuring compliance with evolving cybersecurity standards.