Plattform
apache
Komponente
apache-cloudstack
Behoben in
4.19.3.0
4.20.1.0
CVE-2025-47849 describes a privilege escalation vulnerability affecting Apache CloudStack versions 4.10.0.0 through 4.20.0.0. A malicious Domain Admin user within the ROOT domain can exploit this flaw to obtain the API keys of Admin role user-accounts, granting them unauthorized access. This can lead to resource compromise, data loss, and denial of service. The vulnerability is resolved in version 4.20.1.0.
This vulnerability allows a malicious Domain Admin to effectively impersonate Admin users within the same CloudStack domain. By obtaining the API key and secret key, the attacker can execute actions as the impersonated Admin, bypassing standard access controls. This could involve creating, modifying, or deleting virtual machines, networks, or storage volumes. The attacker could also access sensitive data stored within CloudStack, potentially leading to data exfiltration or modification. The blast radius extends to any resources accessible by the impersonated Admin user, making this a significant security risk.
CVE-2025-47849 was publicly disclosed on 2025-06-10. No public proof-of-concept (PoC) code is currently available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the potential for significant impact and the relatively straightforward nature of the exploit, it is prudent to assume a medium probability of exploitation.
Organizations utilizing Apache CloudStack in production environments, particularly those with complex domain hierarchies and a large number of administrative accounts, are at risk. Shared hosting environments where multiple customers share a CloudStack instance are also vulnerable, as a compromised Domain Admin account could potentially impact other tenants.
• apache: Examine CloudStack audit logs for unusual API key access patterns or attempts to impersonate Admin users.
journalctl -u cloudstack-management -f | grep "API key" | grep "Admin"• apache: Monitor CloudStack API endpoints for unauthorized access attempts.
curl -I https://<cloudstack_management_server>/api/cloudstack/ | grep -i "403 forbidden"• generic web: Review CloudStack access logs for suspicious activity originating from the ROOT domain.
grep "Domain Admin" /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
The primary mitigation for CVE-2025-47849 is to upgrade Apache CloudStack to version 4.20.1.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls and monitoring for suspicious API activity. Review CloudStack's access control policies to ensure the principle of least privilege is enforced. Implement a Web Application Firewall (WAF) with rules to detect and block unauthorized API requests. After upgrading, verify the fix by attempting to access Admin-level APIs with a Domain Admin account and confirming access is denied.
Actualice Apache CloudStack a la versión 4.19.3.0 o 4.20.1.0. Estas versiones incluyen validaciones estrictas en la jerarquía de tipos de roles y comparaciones de privilegios de API, además de nuevas configuraciones a nivel de dominio para restringir las operaciones en cuentas del mismo tipo de rol y dentro de la misma cuenta.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-47849 is a vulnerability in Apache CloudStack versions 4.10.0.0–4.20.0.0 that allows a malicious Domain Admin to escalate privileges by obtaining Admin API keys, potentially leading to data compromise and denial of service.
If you are running Apache CloudStack versions 4.10.0.0 through 4.20.0.0, you are potentially affected by this vulnerability. Upgrade to 4.20.1.0 or later to mitigate the risk.
The recommended fix is to upgrade Apache CloudStack to version 4.20.1.0 or later. Consider implementing stricter access controls and MFA as interim measures.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-47849, but the potential for exploitation exists.
Refer to the official Apache CloudStack security advisory for detailed information and updates regarding CVE-2025-47849: [https://lists.cloudstack.apache.org/gmane/list/security/spamsg/176061/1](https://lists.cloudstack.apache.org/gmane/list/security/spamsg/176061/1)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.