CloudStack MinIO Policy Cleanup Failure on Bucket Deletion

CVE-2025-66467 is a critical access control vulnerability in Apache CloudStack that fails to properly clean up MinIO bucket policies when buckets are deleted. When a bucket is removed, the associated access and secret keys remain valid and retain their permissions. If another user subsequently creates a new bucket with the same name, the previous owner can exploit their still-valid credentials to gain unauthorized read and write access to the new bucket. This affects any organization using CloudStack with MinIO object storage backends, particularly those with multi-tenant environments where bucket name reuse is likely. The vulnerability is especially dangerous in regulated industries where data isolation is mandatory, as it enables cross-tenant data breaches and unauthorized data modification.

While this CVE doesn't map to specific MITRE ATT&CK techniques, practitioners using Casky.ai would benefit from skills that detect anomalous credential usage patterns and unauthorized access attempts. The underlying attack pattern involves Credential Access (obtaining valid keys that should be revoked) followed by Lateral Movement or Privilege Escalation (using those credentials to access resources they shouldn't). Casky's extended reasoning capabilities would help identify suspicious indicators such as: access key usage patterns that predate current bucket ownership, authentication succeeding with credentials from deleted resources, or unusual cross-tenant access patterns in CloudStack audit logs. Security teams should monitor for failed and succeeded authentication attempts using aged credentials, implement strict bucket naming conventions to prevent reuse, and audit all credentials associated with deleted buckets to ensure proper revocation across all services.