Analysis Summary

CVE-2025-30675 CVSS:4.7

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.

CVE-2025-47849 CVSS:6.7

Apache CloudStack could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an insecure access of user's API/Secret keys in the same domain.

CVE-2025-47713 CVSS:9.1

Apache CloudStack could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw with able to reset Admin password in Root Domain by the Domain Admin.

CVE-2025-26521 CVSS:9.9

Apache CloudStack could allow a remote authenticated attacker to obtain the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account, caused by improper access control.

Impact

• Gain Access
• Privilege Escalation
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-30675

• CVE-2025-47849

• CVE-2025-47713

• CVE-2025-26521

Affected Vendors

Remediation

Refer to Adobe Security Advisory for patch, upgrade, or suggested workaround information.

Adobe Security Advisory