Apache CloudStack Flaw Allows Attackers to Execute Privileged Actions
Apache CloudStack, a leading open-source cloud management platform, has announced the immediate availability of new Long-Term Support (LTS) releases—version 4.19.3.0 and 4.20.1.0—to address multiple critical security vulnerabilities.
The advisory, published by PMC member Pearl Dsilva on June 10, 2025, highlights five distinct vulnerabilities, two of which are rated critical and pose significant risks to user data and infrastructure integrity.
Critical Vulnerabilities and Exploit Scenarios
Among the most severe issues is CVE-2025-26521, a critical flaw affecting CKS-based Kubernetes clusters within CloudStack projects.
When a user creates a Kubernetes cluster, the API and secret keys of the ‘kubeadmin’ user are stored in the cluster’s secret configuration.
Project members with access to the cluster can retrieve these credentials, potentially impersonating the cluster creator and executing privileged actions.
This could lead to a full compromise of the creator’s resources, violating confidentiality, integrity, and availability.
Another critical vulnerability, CVE-2025-47713, allows Domain Admin users in the ROOT domain to reset the passwords of Admin role accounts.
This privilege escalation flaw, present in versions 4.10.0.0 through 4.20.0.0, enables attackers to assume control over highly privileged accounts, risking data loss, infrastructure disruption, and unauthorized access to sensitive APIs1.
To remediate these issues, users are urged to upgrade to version 4.19.3.0 or 4.20.1.0.
The patches introduce strict validation on role type hierarchy and API privilege comparison. New domain-level settings, such as role.types.allowed.for.operations.on.accounts.of.same.role.type and allow.operations.on.users.in.same.accountFurther restrict sensitive operations to authorized roles.
For CKS users affected by CVE-2025-26521, the following remediation steps are recommended:
- Create a Service Account:
Generate a new account with the “Project Kubernetes Service Role,” using the naming conventionkubeadmin-. - Add to Project:
Associate the service account with the relevant project. - Generate API and Secret Keys:
Create new keys for the default user of this account. - Update Kubernetes Cluster Secret:
Replace the existing secret in the Kubernetes cluster with the new credentials usingkubectlcommands: text./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config rm /tmp/cloud-config - Regenerate Original User Keys:
Regenerate the API and secret keys for the original user account to invalidate the previous credentials.
For other vulnerabilities, such as unauthorized template/ISO access (CVE-2025-30675), insecure access to API/secret keys by Domain Admins (CVE-2025-47849), and quota-related privilege issues (CVE-2025-22829), upgrading to the latest release is the primary remediation step.
These fixes ensure proper domain resolution, strict role validation, and improved privilege management.
Risk Factor Table and Security Implications
The following table summarizes the risk factors associated with each vulnerability:
| CVE ID | Severity | Affected Versions | Risk Description |
|---|---|---|---|
| CVE-2025-26521 | Critical | 4.17.0.0–4.19.2.0, 4.17.0.0–4.20.1.0 | Project members can access creator’s API/secret keys, leading to impersonation and resource loss |
| CVE-2025-30675 | Low | 4.0.0–4.19.2.0, 4.0.0–4.20.0.0 | Domain/Resource Admins can view templates/ISOs outside their domain, exposing sensitive metadata |
| CVE-2025-47713 | Critical | 4.10.0.0–4.19.2.0, 4.10.0.0–4.20.0.0 | Domain Admins can reset Admin passwords, enabling privilege escalation and system compromise |
| CVE-2025-47849 | Moderate | 4.10.0.0–4.19.2.0, 4.10.0.0–4.20.0.0 | Domain Admins can access Admin API/secret keys, risking impersonation and unauthorized access |
| CVE-2025-22829 | Low | 4.20.0.0 | Authenticated users can enable/disable quota emails and list configurations for any account |
The advisory emphasizes that users running versions older than 4.20.0.0 should skip directly to 4.20.1.0 to avoid exposure to these vulnerabilities.
The official source code and release notes for versions 4.19.3.0 and 4.20.1.0 are available on the Apache CloudStack project website.
These security updates are a timely reminder of the importance of rigorous access control and privilege management in cloud environments.
Organizations using Apache CloudStack should prioritize upgrading to the latest versions and follow the recommended remediation steps to mitigate the risk of exploitation.
The introduction of new domain-level settings and strict validation checks in the patched releases will help organizations maintain a robust security posture, safeguarding sensitive data and critical infrastructure.
By staying informed and proactive, administrators can protect their environments from evolving threats and ensure compliance with best practices in cloud security.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
