The Cybersecurity and Infrastructure Security Agency (CISA) has published an alert that covers cyberattacks actively targeting SaaS systems.
“Threat actors are actively leveraging exposed application secrets, as well as common cloud misconfigurations, to obtain unauthorized access to sensitive data and systems,” the agency said.
The caution comes after a string of attacks in which attackers have successfully breached the infrastructures of some SaaS providers, who left open default configurations and overly lenient security permissions.
CISA is also responding to an incident impacting data backup solutions provider Commvault, in which the threat actors may have stolen client secrets for its Microsoft 365 backup SaaS offering hosted in Azure. This access would’ve given the attackers a path to break into Commvault’s customers’ M365 setups.
CISA notes that this activity seems to be part of a large-scale campaign aimed at a range of SaaS providers.
The compromise of application secrets and misconfigurations in the cloud are becoming successful attack methods. Such vulnerabilities generally result from weak security practices that include keeping secrets in vulnerable locations and not applying right security controls.
To reduce the impact of these vulnerabilities, CISA strongly recommends organizations apply the following measures:
Review Entra audit logs: Review logs on a normal cadence to check for any unauthorized changes of credentials to service principals related to SaaS apps.
Review Microsoft logs: Perform complete threat hunting, interrogating Entra audit, sign-in, and unified audit logs.
Use Conditional Access Policies: For single tenant apps, block application service principal authentication from anywhere but a list of allowed IP addresses.
Review Application registrations and Service Principals: Verify the assigned permissions match the business requirements, eliminating excessive elevated privileges as you see fit.
Control access to management interfaces: Only allow access to SaaS management consoles from trusted and authorized networks and systems.
Leverage Web Application Firewalls (WAFs): Use WAFs to monitor for and block path-traversals and dodgy file-uploads and dissuade external SaaS application access if it’s feasible.
Rotate credentials frequently: Define a policy to rotate application secrets on a regular cadence.
Follow general cloud security best practices: Follow best practices for cloud security, including the recommendations in the CISA Secure Cloud Business Applications (SCuBA) project.
The recently exploited vulnerability, CVE-2025-1928, has been included in the Known Exploited Vulnerabilities Catalog of CISA, and CISA recommends organizations to apply the relevant patch with the highest priority. The agency remains engaged with partner organizations to address these bad actors and will share further guidance as it becomes available.
Enterprises are advised to stay alert and apply these recommendations as needed to protect themselves against increasingly complex SaaS-based attacks.
