CVE-2025-30675
📋 TL;DR
This vulnerability allows malicious Domain Admins or Resource Admins in Apache CloudStack to bypass domain isolation by exploiting flawed access control in listTemplates and listIsos APIs. By specifying specific filter parameters, attackers can enumerate templates and ISOs from the ROOT domain that should be inaccessible to them. This affects all Apache CloudStack deployments with admin users who could abuse their privileges.
💻 Affected Systems
- Apache CloudStack
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious admin extracts sensitive template/ISO metadata from ROOT domain, potentially revealing internal configurations, proprietary templates, or sensitive deployment information that could facilitate further attacks.
Likely Case
Malicious admin enumerates available templates/ISOs across domain boundaries, violating multi-tenant isolation and potentially discovering proprietary or sensitive templates not intended for their domain.
If Mitigated
With proper monitoring and least privilege principles, impact is limited to information disclosure without direct access to actual template/ISO files.
🎯 Exploit Status
Exploitation requires admin privileges but is straightforward via API calls with specific parameters. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.19.3.0 or 4.20.1.0
Vendor Advisory: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
Restart Required: Yes
Instructions:
1. Backup your CloudStack configuration and database. 2. Download the patched version from Apache CloudStack releases. 3. Follow the official upgrade guide for your version. 4. Restart CloudStack management server and affected services. 5. Verify the fix by testing API calls with domainid and filter parameters.
🔧 Temporary Workarounds
Restrict Admin API Access
linuxImplement network-level restrictions to limit which IPs can access CloudStack admin APIs, reducing attack surface from untrusted admin accounts.
# Configure firewall rules to restrict access to CloudStack management server ports (typically 8080, 8250, 9090)
# Example: iptables -A INPUT -p tcp --dport 8080 -s trusted_admin_ips -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Implement strict monitoring of listTemplates and listIsos API calls with domainid parameter, especially from non-ROOT domain admins.
- Apply principle of least privilege: review and reduce Domain Admin/Resource Admin accounts to only essential personnel, and implement regular privilege audits.
🔍 How to Verify
Check if Vulnerable:
Test as Domain Admin: Call listTemplates API with domainid parameter and filter=self or filter=selfexecutable. If you can see templates from ROOT domain that shouldn't be visible to your domain, system is vulnerable.Check Version:
Check CloudStack version via management server UI or API, or run: grep version /usr/share/cloudstack-management/version.propertiesVerify Fix Applied:
After patching, repeat the vulnerable API call. You should only see templates/ISOs from your own domain, not from ROOT domain.📡 Detection & Monitoring
Log Indicators:
- API calls to listTemplates or listIsos with domainid parameter and filter=self or filter=selfexecutable from non-ROOT domain admins
- Unusual template enumeration patterns across domain boundaries
Network Indicators:
- Increased API calls to template/ISO listing endpoints from specific admin accounts
- Pattern of requests with domainid parameter manipulation
SIEM Query:
source="cloudstack" AND (api_call="listTemplates" OR api_call="listIsos") AND (parameters.domainid EXISTS) AND (parameters.filter="self" OR parameters.filter="selfexecutable")