CVE-2025-65073 is a security vulnerability identified in OpenStack Keystone, the identity service component of the OpenStack cloud platform. Specifically, versions prior to 26.0.1, 27.0.0, and 28.0.0 are affected. The vulnerability allows an attacker to authenticate to Keystone by submitting requests to the /v3/ec2tokens or /v3/s3tokens endpoints using a valid AWS Signature. Normally, Keystone requires proper authentication tokens or credentials, but this flaw permits authorization solely based on the presence of a valid AWS Signature, effectively bypassing standard Keystone authentication controls. This means that if an attacker can generate or obtain a valid AWS Signature, they can impersonate users or services within the OpenStack environment. The vulnerability impacts the confidentiality and integrity of the cloud environment by potentially allowing unauthorized access to identity tokens, which can be used to escalate privileges or access sensitive cloud resources. Although no known exploits have been reported in the wild, the vulnerability is critical because Keystone is central to managing authentication and authorization in OpenStack clouds. The lack of a CVSS score suggests the vulnerability is newly published and not yet fully assessed. Exploitation requires possession of valid AWS signing credentials or keys, which may limit the attack surface but does not eliminate risk. The vulnerability affects multiple OpenStack versions, indicating a broad potential impact across deployments. Remediation involves upgrading to the fixed versions of Keystone (26.0.1, 27.0.0, or 28.0.0) once available and reviewing AWS credential management practices to prevent unauthorized signature generation.

For European organizations, the impact of CVE-2025-65073 is significant due to the widespread use of OpenStack in private and public cloud infrastructures across Europe. Unauthorized Keystone authorization can lead to identity token compromise, enabling attackers to impersonate legitimate users or services. This can result in unauthorized access to cloud resources, data breaches, privilege escalation, and disruption of cloud services. Organizations relying on OpenStack for critical workloads, including government, finance, healthcare, and telecommunications sectors, face increased risk of operational disruption and data loss. The vulnerability could also undermine trust in cloud services and complicate compliance with European data protection regulations such as GDPR. Since exploitation requires valid AWS signatures, attackers might target AWS credential theft or misuse, increasing the risk of multi-cloud compromise scenarios. The absence of known exploits provides a window for proactive mitigation, but the potential impact on confidentiality, integrity, and availability remains high if exploited.

1. Upgrade OpenStack Keystone to versions 26.0.1, 27.0.0, or 28.0.0 as soon as patches are released to address this vulnerability. 2. Conduct a thorough audit of AWS credentials and signing keys used within the organization to ensure they have not been compromised or misused. 3. Implement strict access controls and monitoring around AWS credential usage, including rotating keys regularly and enforcing least privilege principles. 4. Monitor Keystone logs and API access patterns for unusual or unauthorized /v3/ec2tokens or /v3/s3tokens requests that could indicate exploitation attempts. 5. Employ network segmentation and firewall rules to restrict access to Keystone endpoints to trusted systems only. 6. Educate cloud administrators and security teams about this vulnerability and the importance of credential security. 7. Consider deploying additional identity and access management (IAM) controls or multi-factor authentication to reduce the risk of unauthorized access. 8. Engage in threat hunting activities focused on detecting anomalous AWS signature usage within the cloud environment. 9. Coordinate with cloud service providers and vendors for timely updates and security advisories related to OpenStack Keystone.