A high-severity vulnerability has been identified in multiple OpenNebula products, specifically affecting versions of the Community Edition prior to 7.0. If exploited, this flaw could allow an unauthenticated attacker to remotely execute arbitrary code on the OpenNebula management server, potentially leading to a complete compromise of the cloud infrastructure, data breaches, and service disruption. Organizations using the affected software are at significant risk and must take immediate action to mitigate this threat.

The vulnerability is a command injection flaw within the OpenNebula Sunstone web interface. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request containing malicious shell commands to a specific, unsanitized API endpoint. The OpenNebula server fails to properly validate the input, allowing the commands to be passed directly to the underlying operating system and executed with the privileges of the OpenNebula service account.

This vulnerability is rated as High severity with a CVSS score of 8.1, reflecting the significant risk it poses to the organization. Successful exploitation could grant an attacker complete control over the OpenNebula management plane. This could lead to severe consequences, including the unauthorized access, modification, or exfiltration of sensitive data from all managed virtual machines, the deployment of ransomware or cryptominers across the infrastructure, and the complete disruption of business-critical services. The potential for reputational damage, financial loss, and regulatory penalties is substantial.

Immediate Action: Organizations must apply vendor-supplied security updates immediately by upgrading all affected instances to OpenNebula Community Edition 7.0 or a later patched version. Following the update, security teams should actively monitor for any signs of exploitation attempts by reviewing OpenNebula and web server access logs for suspicious or malformed requests.

Proactive Monitoring: Implement enhanced logging and alerting. Monitor for unusual processes spawned by the OpenNebula service user (oned), unexpected outbound network connections from the OpenNebula front-end server, and review web server (e.g., Nginx, Apache) and Sunstone API logs for requests containing shell metacharacters (e.g., |, &, ;, $()).

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce the risk:

• Restrict network access to the OpenNebula Sunstone web interface and API endpoints to trusted IP ranges using a host-based or network firewall.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block command injection attempts against the known vulnerable endpoints.
• Ensure the OpenNebula service account runs with the principle of least privilege.

Public Exploit Available: False

Given the high CVSS score of 8.1 and the potential for a full compromise of the cloud management infrastructure, this vulnerability represents a critical risk. We strongly recommend that all organizations using affected versions of OpenNebula prioritize the immediate deployment of the vendor-provided patch. While there is no current evidence of active exploitation, the risk profile necessitates urgent action. If immediate patching is not feasible, the compensating controls outlined above must be implemented as a temporary measure to reduce the attack surface.