CVE-2025-22828

Summary

CVE-2025-22828 is a vulnerability affecting Apache CloudStack versions 4.16.0 and above. This issue allows users with authorized access to add and read comments (annotations) on resources, even if they don't have direct access to those resources. By leveraging this access validation issue, an attacker with a user account and knowledge of resource UUIDs can potentially gain insight into confidential information contained within the comments. Although resource UUIDs are difficult to guess or brute-force, and access to comments is not the same as access to CloudStack resources, this vulnerability carries a very low severity and general low impact. CloudStack administrators can mitigate the risk by disallowing listAnnotations and addAnnotation API access to non-admin roles in their environment.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.