CVE-2025-65073 is a vulnerability classified under CWE-863 (Incorrect Authorization) found in OpenStack Keystone, the identity service component of OpenStack cloud platforms. The flaw exists in versions prior to 26.0.1, 27.0.0, and 28.0.0, where Keystone improperly authorizes requests to the /v3/ec2tokens and /v3/s3tokens endpoints. These endpoints are designed to allow token generation based on AWS Signature authentication, which is intended to provide interoperability with AWS-compatible APIs. However, due to incorrect authorization logic, an attacker possessing a valid AWS Signature can bypass Keystone’s normal authorization checks and obtain tokens with elevated privileges or unauthorized access. This can lead to unauthorized access to cloud resources, privilege escalation, and potential compromise of the cloud environment’s confidentiality and integrity. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting network attack vector, high complexity, no privileges required, no user interaction, and a scope change with partial confidentiality loss and high integrity impact. Although no public exploits are currently known, the vulnerability’s nature and the critical role of Keystone in cloud identity management make it a significant threat. The issue highlights the risks of integrating third-party authentication mechanisms without rigorous authorization validation. OpenStack operators must assess their Keystone versions and configurations to mitigate this risk.

For European organizations, the impact of CVE-2025-65073 can be substantial, especially for those relying on OpenStack for private or public cloud infrastructure. Exploitation could allow attackers to impersonate legitimate users or services, gaining unauthorized access to sensitive data and cloud resources. This compromises confidentiality and integrity, potentially leading to data breaches, service disruptions, or unauthorized modifications of cloud workloads. Given Keystone’s central role in identity and access management, a successful attack could cascade, affecting multiple services and tenants in multi-tenant environments. The vulnerability’s network accessibility and lack of required privileges increase the risk of remote exploitation. This is particularly critical for sectors such as finance, healthcare, and government agencies in Europe, where data protection regulations like GDPR impose strict requirements. Additionally, disruption or compromise of cloud services could impact business continuity and trust in cloud providers. Organizations using AWS-compatible APIs with Keystone are especially vulnerable, as attackers can leverage valid AWS signatures to bypass controls.

European organizations should immediately verify their OpenStack Keystone versions and upgrade to versions 26.0.1 or later, 27.0.1 or later, or 28.0.1 or later where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict network controls to limit access to Keystone endpoints, especially /v3/ec2tokens and /v3/s3tokens, restricting them to trusted sources only. Review and audit the use of AWS Signature-based authentication within Keystone to ensure it is configured securely and monitored for anomalies. Employ enhanced logging and alerting on token generation requests to detect unusual patterns indicative of exploitation attempts. Conduct regular penetration testing and vulnerability assessments focused on identity services. Additionally, consider implementing multi-factor authentication and role-based access controls to reduce the impact of compromised tokens. Collaborate with cloud service providers to ensure timely patch deployment and share threat intelligence related to this vulnerability. Finally, update incident response plans to include scenarios involving Keystone authorization bypass.