CVE-2026-23560
Xen · XAPI
A vulnerability in Xen XAPI allows a vm-admin to mark a VM as a system domain, which can cause the domain to be hidden from management tooling and persist during host operations.
Executive summary
A critical configuration vulnerability in Xen XAPI allows attackers to hide virtual machines and bypass management operations, potentially masking malicious activity.
Vulnerability
This issue stems from inadequately restricted settings, where a vm-admin can set VM.other-config:is_system_domain. By marking a VM as a system domain, an attacker can ensure the VM is ignored during host or pool operations and effectively hide it from administrative visibility.
Business impact
Successful exploitation allows an attacker to maintain persistence and evade detection by security tools and administrators. With a CVSS score of 9.4, this flaw poses a critical risk to system integrity and incident response capabilities, as malicious domains can be hidden in plain sight.
Remediation
Immediate Action: Apply the latest security updates provided by the vendor; consult https://xenbits.xen.org/xsa/advisory-489.html for patch availability and instructions.
Proactive Monitoring: Review virtual machine configurations for unexpected "system domain" flags and monitor for discrepancies between running VMs and those visible in management consoles.
Compensating Controls: Implement strict change management processes for VM configuration changes and limit the ability of vm-admin roles to modify critical VM properties.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The ability to hide virtual assets represents a significant security blind spot. It is recommended to update the Xen XAPI software immediately and conduct a thorough audit of all existing VM configurations to identify and remediate any unauthorized system domain tags.