PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-66172 Lists CVE debrief

CVE-2025-66172 is an access-control flaw in the CloudStack Backup plugin affecting versions 4.21.0.0 and 4.22.0.0. An authenticated user with access to the relevant APIs can restore a volume from another user's backups and attach that volume to their own VMs, creating a cross-tenant authorization break with high confidentiality and integrity impact.

Vendor
Lists
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-10
Advisory published
2026-05-08
Advisory updated
2026-05-10

Who should care

CloudStack operators running the Backup plugin on 4.21.0.0 or 4.22.0.0, especially environments that expose the affected backup/restore APIs to authenticated users. Backup administrators, platform security teams, and anyone managing tenant isolation should treat this as a priority review item.

Technical summary

The issue is an improper access logic problem in the CloudStack Backup plugin rather than a code-execution bug. According to the advisory text, the vulnerable condition exists when the plugin is enabled in CloudStack 4.21.0.0+ and an authenticated user has access to specific APIs. NVD lists the issue as CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N and associates it with CWE-359. The practical impact is unauthorized restore and reassignment of backup-derived storage across users/tenants.

Defensive priority

High. This is remotely reachable, requires only low-privilege authenticated access, and can expose or repurpose another user's backup data and volumes. The impact is concentrated on confidentiality and integrity, with no availability impact listed, but the cross-tenant nature makes it especially important for multi-user CloudStack deployments.

Recommended defensive actions

  • Upgrade CloudStack to 4.22.0.1 as recommended in the advisory.
  • Verify whether the Backup plugin is enabled in any CloudStack 4.21.0.0+ environment.
  • Review API access controls and tenant isolation settings for backup and volume-restore workflows.
  • Audit recent backup restore and volume attachment activity for unexpected cross-account actions.
  • If immediate upgrade is not possible, restrict access to the affected APIs to the smallest possible authenticated admin/user set until remediation is complete.
  • Confirm that monitoring and alerting cover backup restore events and volume attachments across tenant boundaries.

Evidence notes

Source corpus indicates: (1) the CVE description states an improper access logic issue in the CloudStack Backup plugin for versions 4.21.0.0 and 4.22.0.0; (2) authenticated users with access to specific APIs can restore volumes from another user's backups and attach them to their own VMs; (3) the recommended fix is CloudStack 4.22.0.1. NVD metadata provides CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N and CWE-359. References supplied in the corpus are the Apache security mailing list advisory and an oss-security mirror.

Official resources

Publicly disclosed on 2026-05-08 via the Apache security mailing list, with an oss-security mirror on 2026-05-09. The NVD entry was published on 2026-05-08 and last modified on 2026-05-10.