CVE-2025-66172 Overview
CVE-2025-66172 is an improper access control vulnerability [CWE-359] in the Apache CloudStack Backup plugin affecting versions 4.21.0.0 and 4.22.0.0. The flaw allows any authenticated user with access to specific backup APIs to restore volumes from other users' backups. Attackers can then attach those restored volumes to virtual machines (VMs) they control, exposing data belonging to other tenants in the cloud environment.
The vulnerability requires only low-privileged authenticated access and is exploitable over the network without user interaction. Apache CloudStack has released version 4.22.0.1 to address this issue.
Critical Impact
Authenticated tenants can access and exfiltrate backup data belonging to other users in shared CloudStack deployments, breaching tenant isolation and exposing sensitive workloads.
Affected Products
- Apache CloudStack 4.21.0.0
- Apache CloudStack 4.22.0.0
- Deployments with the Backup plugin enabled
Discovery Timeline
- 2026-05-08 - CVE-2025-66172 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-66172
Vulnerability Analysis
The Apache CloudStack Backup plugin enforces insufficient ownership checks when handling backup restoration requests. Specific backup-related APIs accept references to backup objects without validating that the requesting account owns or has permission to access the underlying backup. An authenticated user can therefore submit a restore operation referencing another tenant's backup, receive a usable volume, and attach it to a VM they own.
This breaks the tenant isolation model that multi-tenant CloudStack deployments depend on. The impact extends to confidentiality and integrity of any data residing in volume backups across the affected environment, including database snapshots, configuration files, and application data.
Root Cause
The root cause is missing or incorrect authorization logic in the backup volume restoration code path. The plugin trusts the backup identifier supplied in the API request and proceeds with restoration without verifying the caller's relationship to the source volume or backup owner. This is a classic privacy violation pattern [CWE-359] where access-control checks are absent from a privileged operation.
Attack Vector
An attacker requires an authenticated CloudStack account with permission to invoke the affected backup APIs. From there, the attacker enumerates or guesses backup identifiers belonging to other users and issues a restore request. The platform creates a new volume containing the victim's data and allows the attacker to attach it to a VM in their own account. Mounting the volume exposes the file system contents directly to the attacker.
No verified public proof-of-concept code is available. See the Apache List Discussion and OpenWall OSS Security Update for vendor details.
Detection Methods for CVE-2025-66172
Indicators of Compromise
- Backup restore API calls referencing backup IDs that do not belong to the requesting account in CloudStack management server logs.
- Unexpected volume creation events followed by attachment to VMs owned by a different account than the original backup source.
- Anomalous spikes in restoreVolumeFromBackup or related backup API invocations from a single user account.
Detection Strategies
- Audit CloudStack management server logs for cross-tenant backup operations by correlating backup owner account IDs with the calling account ID on each API request.
- Establish baselines of normal backup restoration activity per tenant and alert when frequency or target ownership deviates.
- Review volume attachment history for volumes that originated from backups owned by a different account than the destination VM.
Monitoring Recommendations
- Forward CloudStack management server and API audit logs to a centralized SIEM for correlation and long-term retention.
- Alert on any failed authorization decisions or anomalous backup API call patterns from low-privileged accounts.
- Monitor for unexpected volume objects appearing in tenant accounts shortly after backup API activity.
How to Mitigate CVE-2025-66172
Immediate Actions Required
- Upgrade Apache CloudStack to version 4.22.0.1, which contains the official fix.
- Inventory all CloudStack deployments to identify environments running 4.21.0.0 or 4.22.0.0 with the Backup plugin enabled.
- Review backup and volume audit logs for evidence of cross-tenant restore activity prior to patching.
Patch Information
Apache has released CloudStack 4.22.0.1 to remediate the improper access logic in the Backup plugin. Administrators running affected versions should plan an upgrade through standard CloudStack upgrade procedures. Refer to the Apache List Discussion for upgrade guidance and the OpenWall OSS Security Update for advisory details.
Workarounds
- Disable the Backup plugin in affected CloudStack environments until the upgrade to 4.22.0.1 is complete.
- Restrict access to backup-related APIs using role-based access control so only trusted administrators can invoke restore operations.
- Rotate credentials and review tenant account permissions to limit the population of users able to call backup APIs while the patch is being rolled out.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
