Home / Vulnerability Intelligence / CVE-2025-66172

CVE-2025-66172 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 10, 2026

CloudStack Backup - Broken Access Control

Published: May 8, 2026Updated: May 10, 2026Remote Exploitable

Overview

CloudStack Backup plugin 4.21.0.0 and 4.22.0.0 contains a broken access control caused by improper access logic in backup restoration APIs, letting authenticated users restore and attach volumes from other users, exploit requires authenticated user access with specific API permissions.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated users can restore and attach volumes from other users, leading to unauthorized data access and potential data manipulation.

Mitigation

Upgrade to CloudStack version 4.22.0.1 or later.

References

http://www.openwall.com/lists/oss-security/2026/05/09/3
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-66172
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: unconfirmed

CWE

CWE-359

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N