CVE Watchtower


← Back to CVE List

CVE-2025-66171NVD

Vulnerability Summary

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
Severity Level
MEDIUM(6.5)
Published Date
May 8, 2026
Last Modified
May 12, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.02%Probability
Root Weakness (CWE)
Refer to the official MITRE database for detailed architectural specifications regarding this weakness.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone