Analysis Summary

Multiple critical vulnerabilities have been disclosed in Apache CloudStack, an open-source cloud orchestration platform, with the potential to severely compromise cloud infrastructure systems. The advisory, released on June 10, 2025, covers five CVEs, two of which are rated critical for enabling a complete breach of confidentiality, integrity, and availability. The most severe of these, CVE-2025-26521, targets Kubernetes clusters managed through the Container Kubernetes Service (CKS) within CloudStack. It allows the exposure of ‘kubeadmin’ API and secret keys to other project members, permitting malicious insiders to impersonate the cluster creator and execute privileged operations.

Two other critical vulnerabilities, CVE-2025-47713 and CVE-2025-47849, affect the Apache CloudStack Domain Admin structure, enabling privilege escalation. These flaws allow Domain Admin users within the ROOT domain to either reset the passwords of Admin-level accounts or extract sensitive API and secret keys of those accounts, thereby impersonating higher-privileged users. If exploited, these issues can lead to unauthorized access to critical systems, data exfiltration, infrastructure outages, and potential lateral movement within cloud environments. The vulnerabilities impact versions 4.10.0.0 through 4.20.0.0, covering a wide swath of installations.

To address these risks, Apache has introduced patches in versions 4.19.3.0 and 4.20.1.0, implementing strict validation for role-based access controls, particularly to ensure correct Role Type hierarchy. The recommended mitigation for CKS-based clusters involves creating isolated service accounts with naming conventions such as kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>, alongside updates to Kubernetes secrets using kubectl. For Domain Admin escalations, new role-check mechanisms prevent unauthorized privilege changes or access to keys, thus enhancing security governance within domain boundaries.

Two additional vulnerabilities were also addressed: CVE-2025-30675, allowing unauthorized enumeration of templates and ISOs across domain boundaries, and CVE-2025-22829, which impacts the Quota plugin in version 4.20.0.0. As part of the remediation, new domain-level settings have been introduced for fine-tuned control over operations between users and roles—role.types.allowed.for.operations.on.accounts.of.same.role.type and allow.operations.on.users.in.same.account. Administrators are strongly urged to skip version 4.20.0.0 due to its exposure to the Quota plugin flaw and upgrade directly to 4.20.1.0 using official CloudStack distribution channels.

Impact

• Data Exfiltration
• Privilege Escalation
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2025-26521

• CVE-2025-47713

• CVE-2025-47849

• CVE-2025-30675

• CVE-2025-22829

Affected Vendors

Remediation

• Upgrade Apache CloudStack to version 4.19.3.0 or 4.20.1.0 to apply all security patches.
• Avoid using version 4.20.0.0 due to known vulnerabilities in the Quota plugin.
• For Kubernetes clusters, create dedicated service accounts using the naming format: kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>.
• Use kubectl to update CloudStack secrets in existing Kubernetes clusters.
• Set role.types.allowed.for.operations.on.accounts.of.same.role.type to control cross-role operations (default: “Admin, DomainAdmin, ResourceAdmin”).
• Set allow.operations.on.users.in.same.account to true or false as per organization policy.
• Implement strict validation checks on Role Type hierarchy to ensure only authorized users can modify or access privileged accounts.
• Prevent Domain Admins from resetting Admin account passwords or accessing Admin API keys by applying access restrictions.
• Review and audit project memberships to limit unnecessary access to Kubernetes clusters and their secrets.
• Monitor logs and access records for any signs of impersonation or unauthorized API use.