How to fix CVE-2025-47849?

Within 24 hours: Audit all Domain Admin accounts for unauthorized API key access and review CloudStack audit logs for credential theft attempts. Within 7 days: Inventory all CloudStack deployments and identify those running versions 4.10.0.0-4.20.0.0; apply compensating controls listed below to high-risk environments. Within 30 days: Upgrade all affected CloudStack instances to version 4.19.3.0 or 4.20.1.0; rotate all API keys and secrets as a precaution.

Is Cloudstack affected by CVE-2025-47849?

A privilege escalation vulnerability in Apache CloudStack (versions 4.10.0.0-4.20.0.0) allows Domain Admin users to steal API credentials from Admin-level accounts, effectively giving attackers full administrative control over your infrastructure.

CVE-2025-47849

EUVD-2025-18066 HIGH

2025-06-10 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-18066

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 23:15 nvd

HIGH 8.8

Description

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role. * API privilege comparison: the caller must possess all privileges of the user they are operating on. * Two new domain-level settings (restricted to the default admin): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin". - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.

Analysis

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Technical Context

CWE-269 (Improper Privilege Management). CVSS 8.8 indicates high severity. Affects Apache CloudStack.

Affected Products

['Apache CloudStack']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

CVE-2025-47849 vulnerability details – vuln.today

Back

CVE-2025-47849

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-47849

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code