CVE-2025-66171 Overview
CVE-2025-66171 is an improper access control vulnerability in the Apache CloudStack Backup plugin affecting versions 4.21.0.0 and 4.22.0.0. The flaw allows any authenticated user with access to specific backup APIs to create new virtual machines using backups belonging to other users in the environment. This breaks tenant isolation in multi-tenant CloudStack deployments and enables unauthorized access to sensitive data stored in other users' VM backups. The vulnerability is tracked under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor).
Critical Impact
Authenticated users can restore and instantiate VMs from backups belonging to any other tenant, exposing confidential data across account boundaries.
Affected Products
- Apache CloudStack 4.21.0.0
- Apache CloudStack 4.22.0.0
- CloudStack deployments with the Backup plugin enabled
Discovery Timeline
- 2026-05-08 - CVE CVE-2025-66171 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-66171
Vulnerability Analysis
The Apache CloudStack Backup plugin contains improper access control logic in the API workflow that handles VM creation from backups. The plugin fails to verify that the authenticated caller owns the backup resource referenced in the request. Any user with valid credentials and access to the relevant backup APIs can supply a backup identifier belonging to another account and provision a new VM from that backup.
Because the resulting VM is instantiated from another user's data, the attacker gains access to the original VM's disk contents, application state, credentials, and any sensitive material stored at backup time. This breaks the tenant isolation model that CloudStack environments depend on, particularly in service-provider and multi-tenant private cloud deployments.
The attack requires authentication but no user interaction and runs over the network against the CloudStack management API.
Root Cause
The root cause is missing ownership validation on backup resources in the plugin's create-VM-from-backup code path. The backup plugin treats backup identifiers as referenceable by any authenticated caller rather than restricting access to the owning account or domain. Apache fixed the logic in CloudStack 4.22.0.1.
Attack Vector
An attacker authenticates to the CloudStack API with any low-privileged user account in an affected environment. The attacker enumerates or guesses backup identifiers, then invokes the backup plugin API to create a new VM from a target backup. CloudStack provisions the VM using the victim's backup data, and the attacker boots and accesses it under their own account.
No verified public proof-of-concept code is available. See the Apache Mailing List Discussion and the Openwall OSS-Security Update for vendor-provided technical context.
Detection Methods for CVE-2025-66171
Indicators of Compromise
- CloudStack API audit log entries showing createVMFromBackup or equivalent backup-restore calls referencing backup IDs owned by a different account than the caller.
- Unexpected VM instances appearing in user accounts with disk contents matching other tenants' workloads.
- Spikes in backup-listing or backup-query API calls from non-administrative accounts.
Detection Strategies
- Correlate the account field on backup objects with the account field of the API caller in CloudStack management server logs and alert on mismatches.
- Review CloudStack usage and event records for VM creation events that reference backups belonging to other domains or projects.
- Hunt for newly created VMs whose source backup ownership does not align with the creator's account scope.
Monitoring Recommendations
- Forward CloudStack management server logs and API audit events to a central analytics platform for cross-tenant correlation.
- Enable verbose logging on the Backup plugin and retain logs for the full investigation window since the plugin was deployed.
- Monitor authentication and API key usage patterns to identify accounts performing unusual backup-related operations.
How to Mitigate CVE-2025-66171
Immediate Actions Required
- Upgrade Apache CloudStack to version 4.22.0.1, which contains the official fix from the Apache CloudStack project.
- Audit existing VMs created since deploying CloudStack 4.21.0.0 or 4.22.0.0 to identify any provisioned from backups owned by other accounts.
- Rotate credentials, API keys, and secrets stored within any VM whose backup may have been accessed by another tenant.
Patch Information
Apache CloudStack 4.22.0.1 corrects the access control logic in the Backup plugin so backup resources are validated against the caller's account before VM creation. Refer to the Apache Mailing List Discussion for upstream release details.
Workarounds
- Disable the Backup plugin until the upgrade to 4.22.0.1 is completed if backup functionality is not operationally required.
- Restrict access to backup-related APIs using CloudStack role-based access control so only trusted administrative accounts can invoke them.
- Limit network reachability of the CloudStack management API to administrative networks to reduce exposure of authenticated low-privilege accounts.
# Configuration example: restrict backup APIs via CloudStack role permissions
# Replace <role-id> with the target role identifier
cloudmonkey update role id=<role-id> \
rules='[{"rule":"createBackup","permission":"deny"},
{"rule":"listBackups","permission":"deny"},
{"rule":"createVMFromBackup","permission":"deny"}]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
