CVE-2025-66171
Undergoing Analysis Undergoing Analysis - In Progress
Improper Access Control in CloudStack Backup Plugin

Publication date: 2026-05-08

Last updated on: 2026-05-09

Assigner: Apache Software Foundation

Description
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2025-66171
EUVD
EUVD-2025-209741
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache cloudstack_backup_plugin 4.21.0.0
apache cloudstack_backup_plugin 4.22.0.0
apache cloudstack From 4.21.0.0 (inc)
apache cloudstack 4.22.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any authenticated user in CloudStack environments with the Backup plugin enabled to create new virtual machines using backups of other users. This improper access logic could lead to unauthorized access or misuse of other users' data or resources.

Such unauthorized access and potential data misuse may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data. However, the provided information does not explicitly state the compliance impact.

Executive Summary

The CloudStack Backup plugin in versions 4.21.0.0 and 4.22.0.0 has an improper access logic vulnerability. This means that any authenticated user in a CloudStack environment with this plugin enabled can exploit specific APIs to create new virtual machines (VMs) using backups that belong to other users.

Impact Analysis

This vulnerability allows authenticated users to create VMs from backups of other users without proper authorization. This can lead to unauthorized access to data or resources, potential data leakage, and misuse of system resources.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade CloudStack to version 4.22.0.1 or later, as this version fixes the improper access logic issue in the Backup plugin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart