CVE-2025-47713 – A privilege escalation vulnerability in Apache ... (How to Fix)

Q: What is the severity of CVE-2025-47713?

CVE-2025-47713 has a CVSS score of 8.8 (HIGH). A privilege escalation vulnerability in Apache CloudStack allows malicious Domain Admin users in the ROOT domain to reset passwords of Admin role accounts. This enables attackers to impersonate higher-privileged users and access sensitive APIs and resources. Affects Apache CloudStack versions 4.10.0.0 through 4.20.0.0.

📋 TL;DR

A privilege escalation vulnerability in Apache CloudStack allows malicious Domain Admin users in the ROOT domain to reset passwords of Admin role accounts. This enables attackers to impersonate higher-privileged users and access sensitive APIs and resources. Affects Apache CloudStack versions 4.10.0.0 through 4.20.0.0.

💻 Affected Systems

Products:

Apache CloudStack

Versions: 4.10.0.0 through 4.20.0.0

Operating Systems: All platforms running CloudStack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where Domain Admin users exist in the ROOT domain. The vulnerability is present in default configurations.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CloudStack-managed infrastructure including data loss, denial of service, and unauthorized access to all resources and APIs.

🟠

Likely Case

Domain Admin users escalating to full Admin privileges, accessing sensitive data and performing unauthorized administrative operations.

🟢

If Mitigated

Limited to authorized Domain Admin operations with proper role hierarchy enforcement.

🌐 Internet-Facing: MEDIUM - Requires authenticated Domain Admin access, but CloudStack management interfaces are often internet-accessible.

🏢 Internal Only: HIGH - Domain Admin users can exploit this from within the organization to gain full administrative control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple API call manipulation by authenticated Domain Admin users.

Exploitation requires existing Domain Admin credentials in the ROOT domain. The vulnerability is in API privilege validation logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.19.3.0 or 4.20.1.0

Vendor Advisory: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/

Restart Required: Yes

Instructions:

1. Backup CloudStack configuration and database. 2. Download patched version from Apache CloudStack website. 3. Stop CloudStack services. 4. Apply the update following CloudStack upgrade procedures. 5. Restart CloudStack services. 6. Verify the fix is applied.

🔧 Temporary Workarounds

Restrict Domain Admin Privileges

all

Remove Domain Admin users from ROOT domain or limit their privileges to reduce attack surface.

# Review and modify domain admin accounts using CloudStack UI or API

Network Segmentation

all

Restrict access to CloudStack management interface to trusted networks only.

# Configure firewall rules to limit CloudStack API access

🧯 If You Can't Patch

Implement strict access controls and monitor all Domain Admin user activities.
Regularly audit user accounts and privilege assignments, especially in ROOT domain.

🔍 How to Verify

Check if Vulnerable:

Check CloudStack version via management UI or API. If version is between 4.10.0.0 and 4.20.0.0 (excluding 4.19.3.0 and 4.20.1.0), the system is vulnerable.

Check Version:

# Check via CloudStack API or database: mysql -u cloud -p -e 'SELECT version FROM cloud.configuration WHERE name="version"'

Verify Fix Applied:

After patching, verify version is 4.19.3.0 or 4.20.1.0. Test that Domain Admin users cannot reset Admin user passwords.

📡 Detection & Monitoring

Log Indicators:

Unusual password reset operations by Domain Admin users
API calls to resetAdminPassword or similar functions from Domain Admin accounts
Multiple failed login attempts followed by password reset

Network Indicators:

API requests to user management endpoints from unexpected sources
Increased API traffic to administrative endpoints

SIEM Query:

source="cloudstack.log" AND ("resetPassword" OR "updateUser") AND user_role="DomainAdmin" AND target_role="Admin"

📊 Metadata

CVE ID: CVE-2025-47713

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0.12% exploit probability (30.6th percentile)

Published: June 10, 2025

Last Updated: July 1, 2025

🔗 References

https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/ Vendor Advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 Mailing List,Vendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/ Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47713, you might also want to check these: