CVE-2025-59454 – This CVE describes an information disclosure vu... (How to Fix)

Q: What is the severity of CVE-2025-59454?

CVE-2025-59454 has a CVSS score of 4.3 (MEDIUM). This CVE describes an information disclosure vulnerability in Apache CloudStack where authorized users could occasionally access data beyond their intended permissions through specific APIs. The vulnerability affects CloudStack deployments where users have access to the affected APIs but insufficient permission validation allows them to see information they shouldn't.

📋 TL;DR

This CVE describes an information disclosure vulnerability in Apache CloudStack where authorized users could occasionally access data beyond their intended permissions through specific APIs. The vulnerability affects CloudStack deployments where users have access to the affected APIs but insufficient permission validation allows them to see information they shouldn't.

💻 Affected Systems

Products:

Apache CloudStack

Versions: Versions before 4.20.2.0 and 4.22.0.0

Operating Systems: All operating systems running Apache CloudStack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where users have access to the specific APIs mentioned. Multi-tenant environments are most at risk.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged users could access sensitive configuration data, network ACLs, or usage history of other tenants, potentially leading to lateral movement or data exfiltration.

🟠

Likely Case

Authorized users inadvertently or intentionally viewing limited information about other users' resources or configurations.

🟢

If Mitigated

Minimal impact with proper network segmentation and least-privilege access controls already in place.

🌐 Internet-Facing: MEDIUM - If CloudStack management interface is exposed to the internet, this could allow information disclosure to authenticated attackers.

🏢 Internal Only: MEDIUM - Even internally, this could allow privilege escalation or unauthorized data access within multi-tenant environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated access but exploitation is straightforward once authenticated.

Exploitation requires valid user credentials and access to the affected APIs. The vulnerability is in permission validation logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.20.2.0 or 4.22.0.0

Vendor Advisory: https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc

Restart Required: Yes

Instructions:

1. Backup your CloudStack configuration and database. 2. Download the patched version from Apache CloudStack website. 3. Follow the official upgrade guide for your version. 4. Restart CloudStack management server and affected services. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

API Access Restriction

linux

Temporarily restrict access to the affected APIs using network controls or API gateways.

# Use firewall rules to restrict access to CloudStack API endpoints
# Example: iptables -A INPUT -p tcp --dport 8080 -s trusted_networks -j ACCEPT
# iptables -A INPUT -p tcp --dport 8080 -j DROP

Enhanced Monitoring

all

Implement detailed logging and monitoring for the affected API calls to detect abuse.

# Enable debug logging in CloudStack
# Edit /etc/cloudstack/management/log4j-cloud.xml
# Set log level to DEBUG for org.apache.cloudstack.api

🧯 If You Can't Patch

Implement strict network segmentation to isolate CloudStack management interface
Apply principle of least privilege and review all user permissions regularly

🔍 How to Verify

Check if Vulnerable:

Check CloudStack version via management UI or API. Versions before 4.20.2.0 or 4.22.0.0 are vulnerable.

Check Version:

cloudstack-setup-databases --version 2>/dev/null || grep version /usr/share/cloudstack-management/version

Verify Fix Applied:

After upgrade, verify version is 4.20.2.0 or 4.22.0.0 and test that users cannot access unauthorized data through the affected APIs.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, listVolumesUsageHistory from unexpected users
Multiple failed permission checks in CloudStack logs

Network Indicators:

Unusual patterns of API requests to CloudStack management interface
High volume of requests to the affected endpoints

SIEM Query:

source="cloudstack" AND (api_call="createNetworkACL" OR api_call="listNetworkACLs" OR api_call="listResourceDetails" OR api_call="listVirtualMachinesUsageHistory" OR api_call="listVolumesUsageHistory") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-59454

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.12% exploit probability (31.7th percentile)

Published: November 27, 2025

Last Updated: December 2, 2025

🔗 References

https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/27/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59454, you might also want to check these: