Cyber Security News
sysops

Multiple critical vulnerabilities in popular versions of the Apache CloudStack platform could allow attackers to perform privileged actions and compromise cloud infrastructure systems. 

The security advisory, announced on June 10, 2025, addresses five distinct CVEs, with two classified as critical severity that enable complete compromise of confidentiality, integrity, and availability of resources.

Kubernetes Cluster Vulnerability Exposes API Keys

The most severe vulnerability, CVE-2025-26521, affects Container Kubernetes Service (CKS) clusters within Apache CloudStack projects. 

When users create CKS-based Kubernetes clusters in projects, the system inappropriately exposes the API key and secret key of the ‘kubeadmin’ user to other project members who can access the cluster. 

This design flaw allows malicious actors within the same project to extract these credentials and impersonate the cluster creator’s account.

The vulnerability enables attackers to perform privileged operations that could result in complete infrastructure compromise. 

To mitigate existing deployments, administrators must create dedicated service accounts using the “Project Kubernetes Service Role” with specific naming conventions like kubeadmin-. 

The remediation process involves updating the CloudStack secret in Kubernetes clusters using kubectl commands:

Domain Admin Privilege Escalation 

Two additional critical vulnerabilities, CVE-2025-47713 and CVE-2025-47849, enable Domain Admin users in the ROOT domain to escalate privileges and assume control over higher-privileged Admin accounts. 

CVE-2025-47713 allows malicious Domain Admins to reset passwords of Admin role accounts, while CVE-2025-47849 permits unauthorized access to API keys and secret keys of Admin users within the same domain.

These vulnerabilities affect Apache CloudStack versions 4.10.0.0 through 4.20.0.0, representing a significant portion of deployed installations. 

The exploit enables attackers to impersonate Admin accounts and access sensitive APIs, potentially resulting in data loss, denial of service, and infrastructure availability compromise. 

The patches implement strict validation on Role Type hierarchy, ensuring callers possess appropriate privileges before performing operations on target accounts.

Patches Available

Apache CloudStack has addressed these vulnerabilities through comprehensive fixes in versions 4.19.3.0 and 4.20.1.0. 

Additional vulnerabilities include CVE-2025-30675, which allows unauthorized template and ISO enumeration across domain boundaries, and CVE-2025-22829, affecting the Quota plugin’s privilege management in version 4.20.0.0.

The security improvements introduce two new domain-level settings: role.types.allowed.for.operations.on.accounts.of.same.role.type (defaulting to “Admin, DomainAdmin, ResourceAdmin”) and allow.operations.on.users.in.same.account (defaulting to true). 

These configurations provide granular control over cross-account operations and role-based access management.

Users currently on versions older than 4.20.0.0 are specifically advised to skip version 4.20.0.0 entirely and upgrade directly to 4.20.1.0 to avoid exposure to the Quota plugin vulnerability. Official packages are available through the Apache CloudStack download portal and various Linux distribution repositories.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

Related Posts

A high-severity vulnerability has been discovered in Realtek’s Bluetooth HCI Adaptor that allows local attackers to delete arbitrary files and…

Apple has released critical security updates to address a zero-day vulnerability actively exploited in attacks targeting iPhone users.  The flaw,…

RedGolf, a sophisticated threat actor with ties to APT41, provided a rare insight into its operational toolbox after a directory…