CVE-2025-47713 in CloudStack
Summary
by MITRE • 06/11/2025
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role. * API privilege comparison: the caller must possess all privileges of the user they are operating on. * Two new domain-level settings (restricted to the default Admin): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin". - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/02/2025
The vulnerability described in CVE-2025-47713 represents a critical privilege escalation flaw within Apache CloudStack that undermines the security model of cloud infrastructure management systems. This issue affects versions ranging from 4.10.0.0 through 4.20.0.0, creating a significant risk for organizations relying on CloudStack for their cloud computing environments. The vulnerability stems from insufficient access control mechanisms that fail to properly validate role hierarchies when performing administrative operations on user accounts. Specifically, a malicious Domain Admin user operating within the ROOT domain can exploit this weakness to reset passwords of accounts belonging to users with Admin role type, effectively bypassing intended security boundaries.
The technical implementation of this vulnerability demonstrates a fundamental failure in access control validation where the system does not enforce proper role-based access controls during password reset operations. According to CWE-284 access control violations, this represents a clear breakdown in the principle of least privilege and role hierarchy enforcement. The flaw allows attackers to escalate their privileges by assuming control of higher-privileged accounts, which directly violates the security model designed to prevent cross-role privilege escalation. The vulnerability operates through the API layer where authentication and authorization checks are insufficiently enforced, enabling attackers to manipulate user accounts without proper authorization.
The operational impact of this vulnerability extends far beyond simple privilege escalation, creating potential for comprehensive system compromise and data breaches. Attackers who successfully exploit this vulnerability can gain access to sensitive APIs and resources that control critical infrastructure components within CloudStack environments. This access enables them to perform operations that could result in data loss, compromise of resource integrity, denial of service conditions, and overall infrastructure availability issues. The ability to impersonate Admin users provides attackers with elevated privileges that can be leveraged for further exploitation, including access to confidential information, modification of system configurations, and potential lateral movement within the cloud environment. The attack vector specifically targets domain-level administrative users who should normally have restricted capabilities compared to system administrators.
The mitigation strategy implemented in Apache CloudStack 4.19.3.0 and 4.20.1.0 addresses the core issues through enhanced access control mechanisms that enforce strict role hierarchy validation. The system now requires that caller user-account roles must be equal to or higher than target user-account roles, implementing a clear privilege escalation control that prevents lower-privileged users from acting upon higher-privileged accounts. Additionally, the API privilege comparison mechanism ensures that callers possess all privileges necessary for operations on target users, creating a comprehensive authorization framework. The introduction of two new domain-level settings provides administrators with additional control over user operations, including restrictions on which role types can operate on users of the same role type and controls over operations within the same account. These mitigations align with ATT&CK technique T1078 legitimate credentials and T1484.1 domain controller privilege escalation, addressing the root cause of the vulnerability through proper access control enforcement and privilege validation mechanisms.