CVE-2025-22828

Medium

Published: 13 January 2025

Published

13 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.1836 95.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22828 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apache Cloudstack. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly addresses the access validation flaw by requiring enforcement of approved authorizations to prevent unauthorized listing or addition of annotations on resources via known UUIDs.

AC-6 Least Privilege good match

prevent

Implements least privilege by restricting listAnnotations and addAnnotation API access to only authorized roles like admins, mitigating unauthorized annotation operations.

AC-24 Access Control Decisions partial match

prevent

Requires explicit access control decisions for operations on resources, helping to validate user authorization against resource UUIDs before allowing annotation access.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authorization bypass in CloudStack API enables unauthorized read/write of resource annotations via network access with valid account and UUID knowledge, directly facilitating exploitation of public-facing cloud service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can…

list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact. CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.

Deeper analysisAI

CVE-2025-22828 is an access validation issue affecting Apache CloudStack versions from 4.16.0. The vulnerability enables users who have access, prior access, or knowledge of resource UUIDs to list and add comments, known as annotations, on authorized resources. Normally, CloudStack users can add and read annotations only on resources they are explicitly authorized to access, but this flaw bypasses proper validation, with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

An attacker requires a valid user account along with either current access or prior knowledge of specific resource UUIDs to exploit this issue over the network. Successful exploitation allows the attacker to read the contents of existing annotations or add malicious annotations to targeted resources, potentially leading to a loss of confidentiality if those annotations contain privileged information. However, the overall impact remains low, as guessing or brute-forcing resource UUIDs is generally difficult or impossible, and access to annotations does not equate to broader access to CloudStack resources themselves.

Advisories recommend that CloudStack administrators disallow the listAnnotations and addAnnotation API access for non-admin roles as an interim mitigation measure. References include the Apache mailing list announcement at https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2025/01/13/1.

Details

CWE(s): CWE-200

Affected Products

apache

cloudstack

≥ 4.16.0.0

CVEs Like This One

CVE-2026-25199Same product: Apache Cloudstack

CVE-2025-68438Same vendor: Apache

CVE-2025-62188Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2026-24343Same vendor: Apache

CVE-2025-61622Same vendor: Apache

CVE-2024-52577Same vendor: Apache

CVE-2026-41635Same vendor: Apache

CVE-2025-67895Same vendor: Apache

CVE-2024-55532Same vendor: Apache

References

https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/01/13/1
Mailing List · af854a3a-2127-422b-91ae-364da2661108