Patch Now: Apache CloudStack Plugs Proxmox and KVM Exploits in New LTS Release

The Apache CloudStack project has urgently rolled out Long Term Support (LTS) versions 4.20.3.0 and 4.22.0.1 to address a cluster of seven security vulnerabilities. Spanning from “Low” to “Important” severity, these flaws expose cloud infrastructures to severe risks, including cross-tenant virtual machine (VM) hijacking, unauthorized backup exploitation, and arbitrary code execution on KVM hosts.

Cloud administrators and DevOps teams utilizing CloudStack to manage their infrastructure must prioritize these patches to secure their environments against internal and external threats.

The Proxmox Cross-Tenant Hijack (CVE-2026-25199)

One of the most concerning vulnerabilities for multi-tenant environments involves the Proxmox extension. The integration “improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines”.

Because this parameter is not strictly validated against tenant ownership, it opens a dangerous loophole. According to the advisory, “a non-privileged attacker can modify the setting to reference a VM belonging to another account”. This exploit effectively “allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine”.

Arbitrary Code Execution on KVM Hosts (CVE-2026-25077)

Another severe threat—graded as “Important”—impacts CloudStack deployments managing KVM hypervisors. Attackers exploiting this flaw can “register malicious templates to execute arbitrary code on the KVM hosts”.

A successful compromise at the hypervisor level is catastrophic. The project explicitly warns that this exploit “can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack”.

Backup Plugin Breaches

The update also patches dangerous authorization failures within the CloudStack Backup plugin.

• CVE-2025-66170: Due to improper authorization logic, anyone with authenticated access can “list backups from any account in the environment”. While this specific vulnerability “does not allow them to see the contents of the backup,” it still represents a significant reconnaissance risk.
• CVE-2025-66171: A far more severe escalation of the backup flaw dictates that “Any user can create a new VM from backups they should not have access to”.
• CVE-2025-66172: Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user’s backups and attach the volume to their own VMs.

Remediation and Workarounds

These vulnerabilities impact a wide range of Apache CloudStack architectures, specifically affecting versions 4.11.0 through 4.22.0.0 depending on the specific CVE.

To secure their cloud environments, users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or later, which addresses these issues.

For organizations that cannot patch their Proxmox extensions immediately, CloudStack has provided a temporary workaround. Administrators can prevent users from editing the vulnerable instance detail “by adding this detail name to the global configuration parameter – user.vm.denied.details”.