CVE-2025-66171 Lists CVE debrief

Who should care

CloudStack administrators, platform owners, and security teams running Apache CloudStack 4.21.0.0 or 4.22.0.0 with the Backup plugin enabled, especially in multi-tenant environments or deployments where authenticated users can reach the affected APIs.

Technical summary

The issue is an improper access logic problem in the Backup plugin. The supplied source describes a scenario where an authenticated user-account holder can use specific API access to create a VM from backups that belong to another user, creating an unauthorized cross-user data and workload access path. The source corpus also lists CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-359.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Apache CloudStack to 4.22.0.1 as recommended by the advisory.
• Confirm whether the Backup plugin is enabled in any CloudStack 4.21.0.0 or 4.22.0.0 environment.
• Review which authenticated users can reach the Backup-related APIs and tighten access to the minimum required set.
• Check logs for unexpected VM creation activity involving backups owned by other accounts.
• If immediate upgrade is not possible, reduce exposure by limiting access to the affected APIs and monitoring tenant-bound backup operations closely.

Evidence notes

Source corpus states the vulnerability was published on 2026-05-08 and modified on 2026-05-09. The advisory text says the Backup plugin in CloudStack 4.21.0.0 and 4.22.0.0 has improper access logic, and that upgrading to 4.22.0.1 fixes the issue. NVD metadata in the corpus shows vulnStatus 'Undergoing Analysis' and references an Apache security mailing list thread and an oss-security mirror.

Official resources