CVE-2025-47849: 
Apache CloudStack vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2025-47849) exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can obtain API and secret keys of Admin role type user-accounts within the same domain. This vulnerability was discovered and reported by Kevin (kli74@apple.com) and Scott Schmitz (sschmitz@ussignal.com), with patches released on June 10, 2025 (CloudStack Blog).

The vulnerability stems from improper access control mechanisms where operations are not appropriately restricted based on role hierarchy. The issue has been assigned a CVSS 3.1 Base Score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows Domain Admin users to bypass role-based access controls and gain unauthorized access to API and secret keys of higher-privileged Admin accounts (NVD, GBHackers).

The exploitation of this vulnerability can lead to serious security implications including compromise of resource integrity and confidentiality, data loss, denial of service, and potential compromise of infrastructure managed by CloudStack. An attacker can impersonate Admin user-accounts and gain access to sensitive APIs and resources (CloudStack Blog).

Users are strongly recommended to upgrade to Apache CloudStack versions 4.19.3.0 or 4.20.1.0, which implement several security improvements including: strict validation on Role Type hierarchy ensuring the caller's role must be equal to or higher than the target user's role, API privilege comparison requiring the caller to possess all privileges of the user they are operating on, and two new domain-level settings for granular control over user operations (CloudStack Blog).

The vulnerability has garnered significant attention in the cybersecurity community, with multiple security firms and researchers highlighting the critical nature of the flaw. Security experts emphasize the importance of immediate patching due to the potential for privilege escalation and system compromise (Cybersecurity News).