top of page
Search

WARNING: Broader SaaS Attacks

  • Writer: Ben Card
    Ben Card
  • Jun 2
  • 2 min read

CISA Warns of Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigurations

internet cloud icon with colorful cables plugged in

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a widespread cyber threat targeting Software-as-a-Service (SaaS) providers. The agency has identified a nation-state actor exploiting application secrets and cloud misconfigurations, potentially affecting numerous organizations relying on SaaS solutions for their operations.

 

The Attack: How Threat Actors Are Exploiting SaaS Vulnerabilities

CISA's advisory highlights a zero-day vulnerability (CVE-2025-3928) in Commvault’s Metallic Microsoft 365 (M365) backup SaaS solution, hosted in Microsoft Azure. Threat actors have reportedly gained unauthorized access to Commvault customers' M365 environments, leveraging app secrets stored by Commvault.

 

Key Exploitation Methods

  1. Compromising App Secrets – Attackers accessed stored credentials, allowing them to infiltrate SaaS environments.

  2. Leveraging Default Configurations – Many SaaS applications come with default settings that grant elevated permissions, making them prime targets.

  3. Cloud Misconfigurations – Poorly configured identity and access management (IAM) policies have enabled attackers to escalate privileges and move laterally across cloud environments.

 

Why This Matters for SaaS Security

SaaS applications are widely used across industries, from finance and healthcare to government agencies. The lack of direct control over cloud-hosted environments makes them vulnerable to third-party breaches. According to security experts, many organizations fail to properly secure non-human identities, such as API keys and service accounts, leaving them exposed to exploitation.

 

CISA’s Recommended Mitigation Strategies

Microsoft apps on an iPhone outlook powerpoint, authenticator, stream

To counter these threats, CISA advises organizations to take immediate action:

  • Monitor Entra audit logs for unauthorized credential modifications.

  • Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) for suspicious activity.

  • Implement conditional access policies to restrict authentication to approved IP addresses.

  • Rotate application secrets and credentials regularly.

  • Restrict access to Commvault management interfaces to trusted networks.

  • Deploy Web Application Firewalls (WAFs) to detect and block suspicious file uploads.

 

Final Thoughts

This latest SaaS security warning underscores the urgent need for organizations to harden their cloud environments. As attackers pivot from traditional endpoint attacks to exploiting SaaS misconfigurations, businesses must prioritize security measures to protect their critical data and infrastructure.

 

Cybersecurity is an ongoing battle, and staying ahead of emerging threats is the key to defending against sophisticated cyberattacks. Organizations should act now to audit their SaaS environments, enforce strict IAM policies, and monitor for suspicious activity.

 

Would you like guidance on specific mitigation steps or detection tools to help secure your SaaS environment? Contact Webcheck Security today!

 
 
 

Comentarios

bottom of page