The vulnerability identified as CVE-2025-66467 in Apache CloudStack involves incomplete cleanup of MinIO policies upon bucket deletion. Specifically, when a bucket is deleted, the associated access and secret keys are not revoked or removed, allowing former owners to retain access rights. If a new bucket is created with the same name by a different user, the previous owners can exploit their retained credentials to gain unauthorized read and write access to the new bucket. This issue affects versions 4.19.0.0 and 4.21.0.0 of Apache CloudStack. The vulnerability is classified under CWE-459 (Incomplete Cleanup). The CVSS v3.1 base score is 8.0, indicating high severity, with network attack vector, high privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No known exploits in the wild have been reported. The vendor recommends upgrading to fixed versions 4.20.3.0 or 4.22.0.1 or later.

Successful exploitation of this vulnerability allows previous bucket owners to retain unauthorized read and write access to buckets they no longer own if those buckets are recreated with the same name by other users. This compromises confidentiality, integrity, and availability of data stored in the affected buckets. The impact is significant given the high CVSS score and the potential for unauthorized data access and modification.

Users should upgrade Apache CloudStack to version 4.20.3.0, 4.22.0.1, or later, where this vulnerability has been fixed. Since no official patch links or remediation levels are provided in the advisory, the upgrade to these specified versions is the recommended remediation. Patch status is confirmed by the vendor advisory recommending these versions. No alternative mitigations or temporary fixes are indicated.