CVE-2025-66172HIGH 8.1EPSS p39.5%

CVE-2025-66172CVE-2025-66172

Description

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.51% probability of exploitation · percentile 39.5% · 2026-06-18T12:00:27Z
Published2026-05-08
Last modified2026-05-12

Underlying weaknesses· 1

CWE-359

References

  1. https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
  2. http://www.openwall.com/lists/oss-security/2026/05/09/3

1

TypeTargetConfidenceTier
WeaknessExposure of Private Personal Information to an Unauthorized Actorcwe-3590%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66467
CVE
CVE-2026-25199
CVE
CVE-2025-47849
CVE
CVE-2026-25077
CVE
CVE-2025-47713
CVE
CVE-2025-45472
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.