Privilege Escalation Vulnerability in Apache CloudStack by Apache
CVE-2025-47849

8.8HIGH

Key Information:

Vendor

Apache
Status
Apache Cloudstack
Vendor
CVE Published:
10 June 2025

What is CVE-2025-47849?

A privilege escalation vulnerability has been identified in Apache CloudStack, which allows a malicious Domain Admin user from the ROOT domain to obtain the API key and secret key of Admin role user accounts within the same domain. This flaw arises due to inadequate restrictions on certain operations, enabling attackers to impersonate higher-privileged accounts. As a result, sensitive APIs and resources may become accessible, leading to potential data loss, denial of service, and overall infrastructure compromise. It is crucial for users to upgrade to Apache CloudStack versions 4.19.3.0 or 4.20.1.0 to benefit from enhancements aimed at improving role hierarchy validation and enforcing strict API privilege checks.

Affected Version(s)

Apache CloudStack 4.10.0 < 4.19.3.0

Apache CloudStack 4.20.0.0 < 4.20.1.0

References

https://cloudstack.apache.org/blog/cve-advisories-4.19.3....
vendor-advisory
https://www.shapeblue.com/shapeblue-security-advisory-apa...
third-party-advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39...
mailing-list

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.