CVE-2025-47849 is a high-severity privilege escalation vulnerability affecting Apache CloudStack versions 4.10.0.0 through 4.20.0.0. The flaw arises from improper privilege management (CWE-269) where a malicious Domain Admin user within the ROOT domain can retrieve the API key and secret key of user accounts holding the Admin role type in the same domain. This vulnerability stems from insufficient restrictions on operations that allow a Domain Admin to impersonate higher-privileged Admin users. By exploiting this, an attacker can gain unauthorized access to sensitive APIs and resources, potentially compromising the confidentiality and integrity of managed cloud infrastructure, causing data loss, denial of service, and impacting availability. The root cause is the lack of strict validation on role hierarchy and privilege comparison when performing operations on user accounts. The issue is addressed in Apache CloudStack versions 4.19.3.0 and 4.20.1.0 by enforcing that the caller's role must be equal or higher than the target user's role and requiring the caller to possess all privileges of the user they operate on. Additionally, two domain-level settings were introduced to control which role types can act on accounts of the same role type and whether operations on users within the same account are allowed. No known exploits are reported in the wild yet, but the vulnerability's high CVSS score (8.8) reflects its potential impact and ease of exploitation over the network without user interaction, requiring only low privileges (Domain Admin).

For European organizations using Apache CloudStack for cloud infrastructure management, this vulnerability poses a significant risk. An attacker with Domain Admin privileges could escalate their access to Admin-level accounts, gaining control over critical cloud resources and APIs. This could lead to unauthorized data access, modification, or deletion, disrupting business operations and causing compliance violations under regulations such as GDPR. The compromise of infrastructure availability could result in downtime affecting services and customers. Given the central role of cloud management platforms in digital transformation and service delivery, exploitation could have cascading effects on dependent systems and data. Organizations in sectors with high regulatory scrutiny or critical infrastructure reliance (e.g., finance, healthcare, government) are particularly vulnerable to the confidentiality and availability impacts of this flaw.

European organizations should prioritize upgrading Apache CloudStack to versions 4.19.3.0 or 4.20.1.0 or later, where the vulnerability is fixed. Beyond patching, administrators should review and tighten role assignments and domain-level settings to limit which roles can perform operations on accounts of the same role type. Specifically, restrict the 'role.types.allowed.for.operations.on.accounts.of.same.role.type' setting to the minimum necessary roles and consider disabling 'allow.operations.on.users.in.same.account' if not required. Conduct audits of Domain Admin accounts to ensure only trusted personnel have such privileges. Implement monitoring and alerting on unusual API key access or privilege escalations within CloudStack. Additionally, enforce strong authentication and access controls on the management plane to reduce the risk of initial compromise of Domain Admin accounts. Regularly review CloudStack logs for suspicious activity related to user account operations.