CVE-2025-47713: 
Apache CloudStack Schwachstellenanalyse und -minderung

A privilege escalation vulnerability (CVE-2025-47713) was discovered in Apache CloudStack versions 4.10.0.0 through 4.20.0.0, disclosed on June 10, 2025. The vulnerability affects the user account management functionality where malicious Domain Admin users in the ROOT domain could reset passwords of Admin role type accounts. This operation was not appropriately restricted, allowing attackers to bypass role-based access controls and modify credentials of higher-privileged Admin accounts (CloudStack Blog, NVD).

The vulnerability stems from improper privilege management in the password reset functionality, allowing Domain Admin users to bypass role-based access controls. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (CISA-ADP, Wiz).

The exploitation of this vulnerability allows attackers to assume control over higher-privileged Admin accounts, leading to unauthorized access to sensitive APIs and resources. This can result in compromise of resource integrity and confidentiality, data loss, denial of service, and potential disruption of infrastructure availability managed by CloudStack (CloudStack Blog, Cyber Security News).

Apache CloudStack has released versions 4.19.3.0 and 4.20.1.0 to address this vulnerability. The fixes include strict validation on Role Type hierarchy ensuring the caller's user-account role must be equal to or higher than the target user-account's role, and API privilege comparison requiring the caller to possess all privileges of the user they are operating on. Additionally, two new domain-level settings have been introduced: 'role.types.allowed.for.operations.on.accounts.of.same.role.type' (default: 'Admin, DomainAdmin, ResourceAdmin') and 'allow.operations.on.users.in.same.account' (default: true) (CloudStack Blog).

The vulnerability has garnered significant attention in the cybersecurity community, with multiple security firms and researchers highlighting its critical nature. The Apache CloudStack project responded promptly by releasing security patches, and the broader cloud security community has emphasized the importance of proper privilege management in cloud infrastructure (GBHackers).