May 23, 2025Ravie LakshmananCloud Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells. "Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments," Commvault said in an announcement. "This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments." Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data. To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines - Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need Restrict access to Commvault management interfaces to trusted networks and administrative systems Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it's continuing to investigate the malicious activity in collaboration with partner organizations. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Macworld Super-weird bugs in Messages are nothing new, but this latest one is a real head-scratcher: If you try to send an audio message with the phrase “Dave and Buster’s,” it won’t work. Why would that specific phrasing cause a problem? A coding expert has cracked the case. I won’t say “and the reason will shock you,” but if you’re anything like me, you’ll find it interesting. First, let me explain what happens when the bug triggers. At first, the audio message (“I’m off to eat lunch at Dave and Buster’s,” as an example) appears to send normally. It shows up in the Messages thread to the recipient, along with a transcript of the content. No problem is flagged. It’s at the recipient’s end that we spot the issue. Initially the recipient sees the ellipsis icon, indicating that something is being typed or sent… but this carries on, and carries on, and eventually disappears. And at this point there is no indication that anything has been sent at all: no message, no message transcript, no message failed notification. In fact, if the recipient didn’t happen to have the app open, or had it open but was in a different conversation thread, they never would have known something was supposed to be on the way. This bug is new to me, and the first time I heard about it was when it was discussed on Monday in the blog run by Guilherme Rambo, a coding and engineering expert. Rambo, in turn, heard about the bug on the Search Engine podcast, which devoted its May 9 episode to the subject. Rambo reproduced the bug, guessed the problem must be at the recipient end, then plugged that device into his Mac and started looking at logs. And from that point it doesn’t appear to have taken long for him to work out what was going on: iOS’s transcription engine was recognizing the name of the U.S. restaurant chain, changing it to the correct corporate branding (“Dave & Buster’s,” with an all-important ampersand), and then passing that into the XHTML code used to send a transcript with the audio message. The problem isn’t being caused by the words Dave and Buster’s, but by the ampersand character between them, which has a special purpose in coding and prevents the code from being parsed correctly. The phrase “Dave and Buster’s” doesn’t cause a problem in the U.K. because iOS doesn’t add an ampersand (or even an apostrophe).David Price / Foundry As you can see in the image at the top of this story, a seemingly successfully sent audio iMessage ending with the phrase “Dave & Buster’s” appears as sent but never actually appears on the recipient’s phone. After a while, the audio message disappeared from the sender’s phone, and the recipient was completely unaware that the message had ever been sent. With that in mind, it’s a short leap to recognize that other brands could cause the same issue—they just haven’t been spotted doing so up to now. Rambo notes that “M&Ms” will do the same thing. For U.K. iPhone owners, in fact, “Dave and Buster’s” doesn’t trigger the bug because that chain is evidently not well enough known here and doesn’t get its ampersand added by autocorrect. To reproduce the issue, I had to ask a friend to send me a message about the supermarket chain M&S. Sure enough, this caused the hanging ellipsis followed by an unsent message. At the time of writing, it seems almost certain that any phrase iOS would recognize as containing an ampersand would cause an audio message to fail, and when I put it like that, it’s surprising the bug hasn’t been more widely reported. But here’s what happens when a U.K. user tries to send a message about the supermarket chain M&S, complete with ampersand.Karen Haslam / Foundry On the plus side, one would imagine it’s a bug that should be easy to patch in an iOS update. The transcription feature in Messages simply needs to be told to “escape” special characters so they don’t mess up the parsing process. And as Rambo notes, this isn’t a bug with any security vulnerabilities; indeed, it shows Apple’s BlastDoor mechanism working correctly. “Many bad parsers would probably accept the incorrectly-formatted XHTML,” he writes, “but that sort of leniency when parsing data formats is often what ends up causing security issues. By being pedantic about the formatting, BlastDoor is protecting the recipient from an exploit that would abuse that type of issue.”