Platform
apache
Component
apache-cloudstack
Fixed in
4.19.3.0
4.20.1.0
CVE-2025-47713 describes a privilege escalation vulnerability affecting Apache CloudStack versions 4.10.0.0 through 4.20.0.0. A malicious Domain Admin user within the ROOT domain can exploit this flaw to reset the passwords of Admin role user-accounts. This allows an attacker to assume control over higher-privileged accounts, potentially leading to significant security breaches.
The impact of CVE-2025-47713 is substantial. A successful exploitation allows a malicious Domain Admin to impersonate an Admin user, granting them access to sensitive APIs and resources. This can result in a wide range of damaging consequences, including the compromise of resource integrity and confidentiality, data loss, denial of service, and overall infrastructure unavailability. The attacker could potentially manipulate virtual machines, storage, and networking configurations, effectively taking control of the CloudStack environment. This vulnerability highlights a critical flaw in access control mechanisms within the platform.
CVE-2025-47713 was publicly disclosed on 2025-06-10. Currently, there are no known public proof-of-concept exploits available. The vulnerability's severity is pending evaluation, but the potential for privilege escalation warrants careful attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.09% (25% percentile)
The primary mitigation for CVE-2025-47713 is to upgrade Apache CloudStack to version 4.20.1.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing stricter access controls within the ROOT domain to limit the privileges of Domain Admin users. Review and audit existing user accounts and permissions to identify any anomalies. Implement multi-factor authentication (MFA) for all administrative accounts to add an extra layer of security. Monitor CloudStack logs for suspicious activity, particularly password reset attempts.
Actualice Apache CloudStack a la versión 4.19.3.0 o 4.20.1.0. Estas versiones corrigen la vulnerabilidad de escalada de privilegios que permite a un administrador de dominio malicioso restablecer la contraseña de cuentas de administrador en el dominio raíz.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47713 is a vulnerability in Apache CloudStack versions 4.10.0.0–4.20.1.0 allowing a malicious Domain Admin to reset Admin passwords, potentially gaining control.
If you are running Apache CloudStack versions 4.10.0.0 through 4.20.0.0, you are potentially affected by this vulnerability.
Upgrade Apache CloudStack to version 4.20.1.0 or later to resolve the vulnerability. Implement stricter access controls as an interim measure.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the potential impact warrants immediate attention.
Refer to the official Apache CloudStack security advisory for detailed information and updates: [https://lists.cloudstack.apache.org/gmane/list/security/spamsg/138243.html](https://lists.cloudstack.apache.org/gmane/list/security/spamsg/138243.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.