CVE-2025-47849

CWE-269Improper Privilege Management3 documents3 sources
Severity
8.8HIGH
EPSS
0.2%
top 54.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CloudstackApache Cloudstack
Timeline
PublishedJun 10
Latest updateJun 11

Description

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/cloudstack4.10.0.04.19.3.0+1
CVEListV5apache_software_foundation/apache_cloudstack4.10.04.19.3.0+1

🔴Vulnerability Details

2
GHSA
GHSA-2wpw-3v5g-3wff: A privilege escalation vulnerability exists in Apache CloudStack versions 42025-06-11
CVEList
Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain2025-06-10
CVE-2025-47849 (HIGH CVSS 8.8) | A privilege escalation vulnerabilit | cvebase.io