What is the CVSS score of CVE-2025-66172?

CVE-2025-66172 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Apache CloudStack are affected by CVE-2025-66172?

CVE-2025-66172 allows authenticated CloudStack users in multi-tenant environments to access and restore backup volumes belonging to other tenants, enabling cross-tenant data theft.

How to fix or mitigate CVE-2025-66172?

Within 24 hours: Identify all CloudStack instances running versions 4.21.0.0 or 4.22.0.0 and disable or restrict access to the Backup plugin if operationally feasible. Within 7 days: Upgrade all affected CloudStack deployments to version 4.22.0.1 or later. Verify patch installation across all management and compute nodes. Within 30 days: Audit backup access logs for suspicious volume restoration activity across tenant boundaries; review IAM policies to enforce least-privilege backup access controls.

Apache CloudStack CVE-2025-66172

EUVD-2025-209742 HIGH

Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)

2026-05-08 apache

GHSA-jp26-gvwc-cc96

Information Disclosure

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

May 10, 2026 - 15:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 10, 2026 - 15:22 vuln.today

cvss_changed

Severity Changed

May 10, 2026 - 15:22 NVD

MEDIUM HIGH

CVSS changed

May 10, 2026 - 15:22 NVD

6.5 (MEDIUM) 8.1 (HIGH)

Analysis Generated

May 08, 2026 - 19:24 vuln.today

CVSS changed

May 08, 2026 - 19:22 NVD

6.5 (MEDIUM)

CVE Published

May 08, 2026 - 12:13 nvd

MEDIUM 6.5

CVE Published

May 08, 2026 - 12:13 nvd

UNKNOWN (no severity yet)

DescriptionNVD

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

AnalysisAI

Authenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0 and 4.22.0.0. Attackers with low-privileged authenticated access can restore any user's backup volume and attach it to their own VMs, enabling complete data theft across tenant boundaries in multi-tenant environments. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity. EPSS score of 0.01% indicates minimal observed exploitation activity, while SSVC assessment confirms non-automatable, partial technical impact with no known exploitation. Apache released patch version 4.22.0.1 addressing the access control flaw.

Technical ContextAI

Apache CloudStack is an open-source Infrastructure-as-a-Service (IaaS) platform for deploying and managing large networks of virtual machines across multiple hypervisors. The Backup plugin, introduced in version 4.21.0.0, provides snapshot and backup management capabilities for VM volumes. This vulnerability stems from CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), manifesting as improper authorization checks in the plugin's API endpoints. The flaw allows horizontal privilege escalation across tenant boundaries - authenticated users can invoke backup restoration APIs without proper ownership validation, enabling cross-account data access. The CPE string cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:* confirms Apache Software Foundation as the vendor, with versions 4.21.0.0 through 4.22.0.0 affected when the Backup plugin is enabled.

RemediationAI

Upgrade to Apache CloudStack version 4.22.0.1, which resolves the access control flaw per vendor advisory at https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm. Organizations unable to immediately upgrade should implement compensating controls: disable the CloudStack Backup plugin entirely if not operationally required (eliminates attack surface but removes backup functionality); implement strict API access monitoring and alerting for backup restoration operations, flagging any restore requests that cross tenant boundaries; apply principle of least privilege by auditing and restricting user accounts to minimum necessary API permissions; consider network segmentation to limit authenticated user access to CloudStack management APIs only from trusted networks. Note that disabling the plugin may disrupt existing backup workflows requiring operational planning. Audit existing volume attachments to detect potential prior exploitation by reviewing CloudStack logs for anomalous backup restoration activities between account creation and patch deployment.

CVE-2025-66172 vulnerability details – vuln.today

Back