High

Authorization bypass in OpenStack Keystone EC2/S3 token endpoints

IdentifiersCVE-2025-65073CWE-863· Incorrect Authorization

CVE-2025-65073 is a high-severity authorization bypass in OpenStack Keystone affecting the /v3/ec2tokens and /v3/s3tokens endpoints. In affected versions, Keystone can accept a request containing a valid AWS Signature Version 4 and grant Keystone authorization without adequately verifying that the requester actually possesses the corresponding AWS secret access key. As a result, an attacker who obtains a valid presigned URL or otherwise captures reusable signed AWS request data can replay that signature to Keystone and impersonate the associated OpenStack cloud user. The issue affects Keystone versions before 26.0.1, as well as 27.0.0 and 28.0.0 as identified in the provided content.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows authentication and authorization bypass in Keystone. Abuse of /v3/ec2tokens can result in issuance of a fully scoped Keystone token carrying the victim account’s permissions, enabling unauthorized access to OpenStack resources and APIs available to that identity. Abuse of /v3/s3tokens can disclose project and scope metadata associated with the victim account, which may facilitate follow-on attacks, account targeting, or privilege mapping. The vulnerability therefore enables impersonation of legitimate users and unauthorized access within affected OpenStack deployments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting or disabling external access to the /v3/ec2tokens and /v3/s3tokens endpoints where operationally feasible, especially in deployments using EC2 credentials for S3-compatible storage or registry integrations. Minimize generation and exposure of presigned URLs, shorten their TTLs where possible, and treat presigned URLs and signed request material as sensitive credentials. Monitor for unexpected use of these Keystone endpoints and rotate affected EC2-style credentials if exposure is suspected. These are interim measures only; patching is the primary fix.

Remediation

Patch, then assume compromise.

Upgrade OpenStack Keystone to a fixed release. According to the provided content, affected versions are those before 26.0.1, and the vulnerable releases include 27.0.0 and 28.0.0; remediation is to deploy the vendor-fixed versions referenced by OpenStack advisory OSSA-2025-002 and downstream advisories such as Ubuntu USN-7857-1 and Debian DSA-6056-1. Ensure all Keystone nodes are updated consistently across the deployment.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenstackKeystoneapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

zeropath blogNews

Nov 17, 2025

OpenStack Keystone CVE-2025-65073: Brief Summary of EC2/S3 Token Endpoint Authorization Bypass - ZeroPath Blog | ZeroPath

A high-severity authorization bypass in OpenStack Keystone EC2 and S3 token endpoints that allows replay of valid AWS Signature Version 4 credentials from presigned URLs, potentially yielding a fully scoped Keystone token or leaking project and scope information.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-65073

NVD

nvd.nist.gov/vuln/detail/CVE-2025-65073

MITRE CWE · CWE-863

Incorrect Authorization

openwall.com

openwall.com/lists/oss-security/2025/11/17/6

openwall.com

openwall.com/lists/oss-security/2025/11/04/2