CVE-2025-22828

Name: CVE-2025-22828
Creator: NVD / NIST
Published: 2025-01-13T13:16:12.233+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.3/10EPSS 1.91%

Last modified Jun 17, 2026

CVE-2025-22828 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact. CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.. EPSS estimates a 1.91% chance of exploitation in the next 30 days.

Description

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact. CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

1.91%

77.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Apache	Cloudstack	>= 4.16.0.0

References

https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rsMailing List, Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/01/13/1Mailing List

Timeline

Published: Jan 13, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-22828?

How severe is CVE-2025-22828?

CVE-2025-22828 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 1.91% probability of exploitation in the next 30 days.

How do I fix CVE-2025-22828?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-22828?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST