Skip to main content

Apache CloudStack CVE-2026-25077

| EUVDEUVD-2026-28549 HIGH
Code Injection (CWE-94)
2026-05-08 apache GHSA-vhgc-6rjx-f6vv
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 10, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 10, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
May 10, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
May 10, 2026 - 15:22 NVD
6.3 (MEDIUM) 8.8 (HIGH)
Analysis Generated
May 08, 2026 - 18:23 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
6.3 (MEDIUM)
CVE Published
May 08, 2026 - 12:21 nvd
MEDIUM 6.3
CVE Published
May 08, 2026 - 12:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

AnalysisAI

Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.

Technical ContextAI

Apache CloudStack is an open-source Infrastructure-as-a-Service (IaaS) cloud computing platform that manages compute, storage, and network resources. The vulnerability (CWE-94: Improper Control of Generation of Code) exists in CloudStack's template registration functionality for KVM hypervisors. When account users register templates for direct download to primary storage, the template filename parameter lacks proper sanitization. This allows injection of malicious code or path traversal sequences that execute when the template file is processed on the KVM host filesystem. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_cloudstack) covers the platform's core orchestration layer that interfaces with hypervisor infrastructure. KVM (Kernel-based Virtual Machine) is a Linux hypervisor technology, and CloudStack's management of KVM hosts involves file operations that became the attack surface for this code injection vulnerability.

RemediationAI

Upgrade to Apache CloudStack version 4.20.3.0 or 4.22.0.1 (or later versions) which contain vendor-confirmed fixes for the filename sanitization vulnerability per the official Apache advisory at https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm. For environments unable to immediately patch, implement these compensating controls with noted trade-offs: (1) Restrict template registration permissions to trusted administrative accounts only via CloudStack role-based access control, removing this capability from general account users - this limits cloud self-service functionality but prevents untrusted users from exploiting the vulnerability. (2) Deploy file integrity monitoring on KVM hypervisor hosts to detect unauthorized file creation in primary storage paths - provides detection but not prevention, requiring active monitoring and incident response. (3) Isolate KVM management networks from untrusted account user access and enforce strict network segmentation between CloudStack management servers and hypervisor hosts - reduces attack surface but does not eliminate risk for authenticated users. All workarounds reduce functionality or require additional security tooling; vendor patching is the primary recommended remediation.

Share

CVE-2026-25077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy