A critical authorization bypass in the STACKIT IaaS API allows low-privileged attackers to escalate privileges and gain full control over the organization’s cloud environment.

The vulnerability involves a missing authorization check on the PUT servers service-accounts endpoint. An authenticated, low-privileged attacker can attach high-privileged service accounts to virtual machines and retrieve OAuth2 tokens from the metadata service.

With a CVSS score of 9.8, this vulnerability represents an existential risk to the organization's cloud infrastructure. An attacker exploiting this can move laterally, access high-privilege credentials, and effectively gain full administrative control over the entire organization's cloud environment, leading to massive data theft and infrastructure destruction.

Immediate Action: Update the STACKIT IaaS API to the latest version that enforces proper authorization checks on service account management.

Proactive Monitoring: Audit API logs for unauthorized modifications to virtual machine service accounts and suspicious metadata service queries.

Compensating Controls: Apply the principle of least privilege by restricting user ability to manage service accounts and monitoring for unusual OAuth2 token requests.

Public Exploit Available: No

This vulnerability is highly severe because it enables complete cloud environment takeover. Immediate patching of the IaaS API is required, alongside an audit of current service account configurations to identify any prior unauthorized escalations.