CVE-2025-66171 | THREATINT

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

PUBLISHED Reserved 2025-11-22 | Published 2026-05-08 | Updated 2026-05-08 | Assigner apache

Problem types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

Product status

Default status

unaffected

4.21.0.0 (custom)

affected

Credits

Fabricio Duarte <fabricio.duarte.jr@gmail.com> reporter

Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> reporter

Gabriel Pordeus Santos <gabrielpordeus@gmail.com> reporter

References

lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm vendor-advisory

cve.org (CVE-2025-66171)

nvd.nist.gov (CVE-2025-66171)

Download JSON