CVE-2025-66170 Overview
CVE-2025-66170 is an improper authorization vulnerability [CWE-863] in the Apache CloudStack Backup plugin. The flaw affects CloudStack versions 4.21.0.0 and 4.22.0.0 when the Backup plugin is enabled. Any authenticated user with access to specific Backup APIs can enumerate backups belonging to any account in the environment. The vulnerability exposes backup metadata across tenant boundaries but does not disclose the contents of the backups themselves. Apache addressed the issue in CloudStack 4.22.0.1.
Critical Impact
Authenticated users in multi-tenant CloudStack environments can list backups from accounts they should not have visibility into, breaking tenant isolation guarantees.
Affected Products
- Apache CloudStack 4.21.0.0
- Apache CloudStack 4.22.0.0
- Deployments with the Backup plugin enabled
Discovery Timeline
- 2026-05-08 - CVE-2025-66170 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2025-66170
Vulnerability Analysis
The Apache CloudStack Backup plugin enforces insufficient authorization checks on specific backup listing APIs. The affected endpoints fail to validate whether the requesting account owns the backups returned in the response. As a result, any authenticated user permitted to call the affected APIs receives a list of backups across all accounts in the deployment.
The disclosure is limited to backup metadata such as identifiers, names, and ownership references. The contents of the backups remain protected by storage-layer access controls. The flaw still violates tenant isolation expectations in shared CloudStack deployments and exposes reconnaissance data useful for targeted follow-on attacks.
This condition falls under CWE-863: Incorrect Authorization. The vulnerability requires valid credentials but no user interaction, and the attack is delivered over the network through the CloudStack management API.
Root Cause
The Backup plugin's API handlers do not scope query results by the caller's account or domain. Authorization logic verifies that the caller can invoke the API but omits per-resource ownership filtering on the returned backup records. This pattern is a classic broken object-level authorization (BOLA) defect.
Attack Vector
An attacker authenticates to CloudStack with any low-privileged account that has access to the affected Backup plugin APIs. The attacker then calls the vulnerable listing API and receives backup records belonging to other tenants. No exploit code is required beyond a normal API client. See the Apache Security Mailing List Thread and the Openwall OSS Security Discussion for vendor-provided details.
Detection Methods for CVE-2025-66170
Indicators of Compromise
- API access log entries showing repeated calls to Backup plugin listing endpoints from a single authenticated user across short time windows.
- Backup listing API responses that return records associated with account IDs the caller does not own.
- Unexpected enumeration patterns from non-administrative service or user accounts.
Detection Strategies
- Audit CloudStack management server access logs for backup-related API calls and correlate caller account IDs against returned resource ownership.
- Compare response volumes for backup listing APIs against historical baselines per user to identify reconnaissance behavior.
- Review role and API permission assignments to identify users with access to Backup plugin endpoints in 4.21.0.0 and 4.22.0.0 deployments.
Monitoring Recommendations
- Forward CloudStack management server logs to a centralized logging or SIEM platform and alert on anomalous backup API usage.
- Track authentication events for accounts that begin invoking Backup APIs they have not previously used.
- Monitor for privilege or role changes that grant non-administrative users access to backup listing functionality.
How to Mitigate CVE-2025-66170
Immediate Actions Required
- Upgrade Apache CloudStack to version 4.22.0.1 or later, which contains the authorization fix.
- Inventory all CloudStack management servers running 4.21.0.0 or 4.22.0.0 and confirm whether the Backup plugin is enabled.
- Review user and role assignments to restrict access to Backup plugin APIs to accounts that require them.
Patch Information
Apache CloudStack 4.22.0.1 resolves the improper authorization logic in the Backup plugin. Operators should follow the standard CloudStack management server upgrade procedure and validate plugin functionality after the upgrade. Refer to the Apache Security Mailing List Thread for the official advisory.
Workarounds
- Disable the Backup plugin in affected deployments until the upgrade to 4.22.0.1 is completed, if backup functionality is not in active use.
- Restrict Backup plugin API access through CloudStack role definitions so that only trusted administrative accounts can invoke the affected endpoints.
- Place the CloudStack management API behind network controls that limit access to known administrative sources.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
