CVE-2025-66172
Undergoing Analysis Undergoing Analysis - In Progress
CloudStack Backup Plugin Privilege Escalation Vulnerability

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: Apache Software Foundation

Description
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2025-66172
EUVD
EUVD-2025-209742
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache cloudstack_backup_plugin 4.21.0.0
apache cloudstack_backup_plugin 4.22.0.0
apache cloudstack From 4.21.0.0 (inc)
apache cloudstack 4.22.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The CloudStack Backup plugin in versions 4.21.0.0 and 4.22.0.0 has an improper access control issue. This means that any authenticated user in CloudStack environments using these versions, where the plugin is enabled, can access specific APIs to restore backup volumes belonging to other users and attach those volumes to their own virtual machines.


How can this vulnerability impact me? :

This vulnerability allows an authenticated user to restore and access backup volumes of other users without proper authorization. This can lead to unauthorized data access, potential data leakage, and compromise of user data confidentiality within the CloudStack environment.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, it is recommended to upgrade CloudStack to version 4.22.0.1 or later, as this version fixes the improper access logic in the Backup plugin.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated user to restore and attach volumes from other users' backups without proper authorization. This improper access to potentially sensitive data could lead to unauthorized data exposure.

Such unauthorized access and potential data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Organizations using affected versions of the CloudStack Backup plugin should upgrade to version 4.22.0.1 to mitigate this risk and help maintain compliance with these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart