EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been observed in Apache CloudStack, a cloud infrastructure management platform. These vulnerabilities affect the Proxmox extension and CloudStack Backup plugin, exposing cloud environments to severe risks such as cross-tenant virtual machine hijacking, unauthorized exploitation of backups, and arbitrary code execution on KVM hosts. If exploited, these flaws can lead to compromise of resource integrity and confidentiality, data loss, denial of service, and disruption of availability within KVM-based infrastructure managed by CloudStack. CVE-2026-25199 with a CVSS score of 9.1 – This vulnerability involves the Proxmox extension, which improperly uses a user-editable instance setting to associate CloudStack instances with Proxmox virtual machines, allowing unauthorized cross-tenant access and enabling full control over the targeted VM. CVE-2026-25077 with a CVSS score of 8.8 – This flaw impacts CloudStack deployments managing KVM hypervisors, enabling attackers to register malicious templates to execute arbitrary code on the KVM hosts, resulting in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure. CVE-2025-66170 with no CVSS score of 6.5 – It involves improper authorization logic in Apache CloudStack that allows authenticated users to list backups belonging to any account within the environment. While the vulnerability does not expose the actual contents of the backups, it still enables unauthorized visibility into backup metadata. This can be leveraged for reconnaissance, increasing the risk of targeted attacks against sensitive cloud resources. CVE-2025-66171 with no CVSS score of 6.5 – It is an user can create a new VM from backups they should not have access to, escalating the backup flaw. CVE-2025-66172 with no CVSS score of 8.1– It is anyone with authenticated user-account access in Apache CloudStack environments, where this plugin is enabled and who has access to specific APIs, can restore a volume from any other user’s backups and attach the volume to their own VMs.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been observed in Apache CloudStack, a cloud infrastructure management platform. These vulnerabilities affect the Proxmox extension and CloudStack Backup plugin, exposing cloud environments to severe risks such as cross-tenant virtual machine hijacking, unauthorized exploitation of backups, and arbitrary code execution on KVM hosts. If exploited, these flaws can lead to compromise of resource integrity and confidentiality, data loss, denial of service, and disruption of availability within KVM-based infrastructure managed by CloudStack. CVE-2026-25199 with a CVSS score of 9.1 – This vulnerability involves the Proxmox extension, which improperly uses a user-editable instance setting to associate CloudStack instances with Proxmox virtual machines, allowing unauthorized cross-tenant access and enabling full control over the targeted VM. CVE-2026-25077 with a CVSS score of 8.8 – This flaw impacts CloudStack deployments managing KVM hypervisors, enabling attackers to register malicious templates to execute arbitrary code on the KVM hosts, resulting in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure. CVE-2025-66170 with no CVSS score of 6.5 – It involves improper authorization logic in Apache CloudStack that allows authenticated users to list backups belonging to any account within the environment. While the vulnerability does not expose the actual contents of the backups, it still enables unauthorized visibility into backup metadata. This can be leveraged for reconnaissance, increasing the risk of targeted attacks against sensitive cloud resources. CVE-2025-66171 with no CVSS score of 6.5 – It is an user can create a new VM from backups they should not have access to, escalating the backup flaw. CVE-2025-66172 with no CVSS score of 8.1– It is anyone with authenticated user-account access in Apache CloudStack environments, where this plugin is enabled and who has access to specific APIs, can restore a volume from any other user’s backups and attach the volume to their own VMs.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Apache CloudStack to version 4.20.3.0 or 4.22.0.1 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-cloudstack-security-update-vm-hijacking-kvm-rce-fix/