Commvault SaaS Backup Compromised — Nation-State Actor Planted Webshell in Metallic Platform
CVE-2025-34028 has been added to the CISA KEV catalog, confirming active exploitation in the wild. Federal agencies are required to remediate. All organizations should treat this with equal urgency.
Commvault disclosed that a sophisticated nation-state threat actor exploited CVE-2025-34028 to plant a persistent webshell inside its Metallic SaaS backup platform. Organizations using Commvault Metallic should immediately audit backup integrity and rotate all credentials stored in the platform.
What Commvault Disclosed
Commvault issued a security advisory on April 28, 2026, disclosing that a sophisticated nation-state threat actor exploited CVE-2025-34028, a critical pre-authentication remote code execution vulnerability in the Commvault Command Center web interface, to gain persistent access to the Metallic SaaS backup platform. The attacker planted a webshell — a malicious script providing persistent remote access — inside the Metallic infrastructure. CISA added CVE-2025-34028 to its Known Exploited Vulnerabilities catalog the same day. Commvault stated that the webshell was discovered during a routine security review and that the company has remediated the affected infrastructure, but the disclosure has raised serious questions about the integrity of backups stored in the platform during the exposure window.
Why This Is Especially Dangerous
Backup platforms are uniquely high-value targets for sophisticated attackers for two reasons. First, they contain copies of virtually all data in an organization — databases, file shares, email archives, and application data — making them a one-stop shop for data exfiltration. Second, compromising a backup platform gives attackers the ability to corrupt or delete backups, eliminating an organization's ability to recover from a ransomware attack without paying the ransom. A nation-state actor with access to Commvault Metallic had potential visibility into the backup data of every tenant on the platform. Organizations should assume that any data backed up to Metallic during the exposure window may have been accessed.
Immediate Actions for Commvault Users
If your organization uses Commvault Metallic or any Commvault cloud-connected backup solution, take the following actions immediately. First, contact Commvault support to confirm whether your tenant was affected and to obtain the specific remediation steps for your environment. Second, audit your backup job history for the past 90 days — look for any unusual access patterns, unexpected data reads, or configuration changes you did not make. Third, rotate all credentials that are stored in or accessible through Commvault, including service account passwords, API keys, and cloud provider credentials. Fourth, verify the integrity of your most recent backups by performing test restores of critical systems.
Broader Implications for Backup Security
This incident is a stark reminder that backup platforms are not immune to attack — in fact, they are increasingly targeted precisely because of the value of the data they contain. Organizations should apply the same security rigor to their backup infrastructure as they do to their production systems. This includes keeping backup software patched and up to date, restricting access to backup management interfaces, monitoring backup platform logs for unusual activity, and ensuring that backup data is encrypted at rest with keys that are not stored in the backup platform itself. Consider implementing a 3-2-1-1 backup strategy: three copies of data, on two different media types, with one copy offsite and one copy offline or immutable.
- Audit all backup jobs completed in the past 90 days — verify backup integrity and that no data was exfiltrated
- Rotate all credentials that are stored in or accessible through Commvault, including service account passwords, API keys, and cloud provider credentials
- Review Commvault audit logs for unauthorized access, configuration changes, or unusual data access patterns
- CISA KEV confirmed — treat this as an active incident until you have verified your environment
- Contact Segler.Net if you use Commvault and need emergency backup integrity verification
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.