CVE-2025-26521 – This vulnerability in Apache CloudStack allows ... (How to Fix)

Q: What is the severity of CVE-2025-26521?

CVE-2025-26521 has a CVSS score of 8.1 (HIGH). This vulnerability in Apache CloudStack allows project members with access to CKS-based Kubernetes clusters to steal the API and secret keys of the cluster creator's 'kubeadmin' account. Attackers can then impersonate the creator to perform privileged actions, potentially compromising all resources under that account. Only users of Apache CloudStack with CKS-based Kubernetes clusters in projects are affected.

📋 TL;DR

This vulnerability in Apache CloudStack allows project members with access to CKS-based Kubernetes clusters to steal the API and secret keys of the cluster creator's 'kubeadmin' account. Attackers can then impersonate the creator to perform privileged actions, potentially compromising all resources under that account. Only users of Apache CloudStack with CKS-based Kubernetes clusters in projects are affected.

💻 Affected Systems

Products:

Apache CloudStack

Versions: Versions before 4.19.3.0 and 4.20.1.0

Operating Systems: All operating systems running Apache CloudStack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using CKS-based Kubernetes clusters within projects. Standalone CloudStack installations without CKS or projects are not vulnerable.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the creator's account leading to unauthorized access, data exfiltration, resource destruction, and lateral movement across the CloudStack environment.

🟠

Likely Case

Project members with malicious intent or compromised accounts gaining elevated privileges to manipulate Kubernetes clusters and associated cloud resources.

🟢

If Mitigated

Limited to authorized project members only, but still represents an excessive privilege escalation within project boundaries.

🌐 Internet-Facing: MEDIUM - Requires authenticated access to the CloudStack API and project membership, but could be exploited if attackers gain initial access through other means.

🏢 Internal Only: HIGH - The primary risk comes from insider threats or compromised internal accounts within projects.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires project membership and access to Kubernetes clusters, but the actual attack involves simple API calls to retrieve credentials from the cluster secret.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.19.3.0 or 4.20.1.0

Vendor Advisory: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/

Restart Required: Yes

Instructions:

1. Upgrade Apache CloudStack to version 4.19.3.0 or 4.20.1.0. 2. Restart CloudStack management server. 3. For existing clusters, follow the service account migration steps in the advisory.

🔧 Temporary Workarounds

Service Account Migration

linux

Create dedicated service accounts for Kubernetes clusters to isolate credentials from user accounts.

Create service account with 'Project Kubernetes Service Role'
Add to project
Generate API/secret keys
Update cloudstack-secret in kube-system namespace
Regenerate original user's keys

🧯 If You Can't Patch

Implement strict project membership controls and audit all project members regularly
Monitor Kubernetes cluster access logs for suspicious secret retrieval activities

🔍 How to Verify

Check if Vulnerable:

Check if CloudStack version is below 4.19.3.0 or 4.20.1.0 and if CKS-based Kubernetes clusters exist in projects.

Check Version:

Check CloudStack management server version via API or configuration files

Verify Fix Applied:

Verify CloudStack version is 4.19.3.0 or higher, and that Kubernetes clusters use service account credentials instead of user account credentials in cloudstack-secret.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to cloudstack-secret in Kubernetes clusters
API calls from unexpected accounts performing privileged operations
Multiple failed authentication attempts followed by successful privileged actions

Network Indicators:

Unusual API traffic patterns from Kubernetes clusters to CloudStack management server
Credential harvesting attempts from cluster secrets

SIEM Query:

Search for 'cloudstack-secret' access in Kubernetes audit logs combined with privileged CloudStack API calls from new or unexpected sources

📊 Metadata

CVE ID: CVE-2025-26521

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-200

EPSS Score: 0.08% exploit probability (22.4th percentile)

Published: June 10, 2025

Last Updated: July 1, 2025

🔗 References

https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/ Vendor Advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 Mailing List,Vendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/ Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26521, you might also want to check these: