CVE-2025-66172: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in Apache Software Foundation Apache CloudStack
CVE-2025-66172 is a vulnerability in Apache CloudStack versions 4. 21. 0. 0 and 4. 22. 0. 0 affecting the Backup plugin. Authenticated users with access to specific APIs can restore backup volumes belonging to other users and attach them to their own virtual machines. This improper access control issue exposes private personal information by allowing unauthorized access to backup data. The issue is fixed in Apache CloudStack version 4.
AI Analysis
Technical Summary
The Apache CloudStack Backup plugin in versions 4.21.0.0 and 4.22.0.0 contains an improper access control vulnerability (CWE-359). Authenticated users with access to certain APIs can restore volumes from backups owned by other users and attach those volumes to their own VMs, leading to unauthorized exposure of private data. The vulnerability is resolved by upgrading to CloudStack version 4.22.0.1.
Potential Impact
This vulnerability allows authenticated users to access and restore backup volumes from other users without proper authorization, potentially exposing private personal information stored in those backups. This unauthorized access could lead to data confidentiality breaches within affected CloudStack environments where the Backup plugin is enabled.
Mitigation Recommendations
Users of Apache CloudStack Backup plugin versions 4.21.0.0 and 4.22.0.0 should upgrade to version 4.22.0.1, which addresses this improper access control vulnerability. No other mitigation or temporary workaround is indicated by the vendor advisory.
CVE-2025-66172: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in Apache Software Foundation Apache CloudStack
Description
CVE-2025-66172 is a vulnerability in Apache CloudStack versions 4. 21. 0. 0 and 4. 22. 0. 0 affecting the Backup plugin. Authenticated users with access to specific APIs can restore backup volumes belonging to other users and attach them to their own virtual machines. This improper access control issue exposes private personal information by allowing unauthorized access to backup data. The issue is fixed in Apache CloudStack version 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache CloudStack Backup plugin in versions 4.21.0.0 and 4.22.0.0 contains an improper access control vulnerability (CWE-359). Authenticated users with access to certain APIs can restore volumes from backups owned by other users and attach those volumes to their own VMs, leading to unauthorized exposure of private data. The vulnerability is resolved by upgrading to CloudStack version 4.22.0.1.
Potential Impact
This vulnerability allows authenticated users to access and restore backup volumes from other users without proper authorization, potentially exposing private personal information stored in those backups. This unauthorized access could lead to data confidentiality breaches within affected CloudStack environments where the Backup plugin is enabled.
Mitigation Recommendations
Users of Apache CloudStack Backup plugin versions 4.21.0.0 and 4.22.0.0 should upgrade to version 4.22.0.1, which addresses this improper access control vulnerability. No other mitigation or temporary workaround is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-11-22T19:27:07.615Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fddc53cbff5d8610d55684
Added to database: 5/8/2026, 12:51:31 PM
Last enriched: 5/8/2026, 1:07:00 PM
Last updated: 5/8/2026, 5:58:46 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.