diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch
new file mode 100644
index 0000000..d340f51
--- /dev/null
+++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch
@@ -0,0 +1,48 @@
+From 428c189fa0560bf656b8ded272295d705f602093 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 19 Jan 2023 10:10:33 +0000
+Subject: [PATCH] Add authorization to limit setTokenStatus to allowed admins
+
+This patch adds authorization to limit setTokenStatus to admins
+allowed for the token type in question.
+If a token is not associated with a keyType/profile, then the admin
+must have the ALL_PROFILES prvilege.
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153
+
+(cherry picked from commit d74ac7e6e8a2efbb7abe3b5c21637afdd084d245)
+---
+ .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+index d2a3444..5256a66 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+@@ -75,6 +75,23 @@ public class TokenService extends SubsystemService implements TokenResource {
+     public void setTokenStatus(TokenRecord tokenRecord, TokenStatus tokenState, String ipAddress, String remoteUser,
+             Map<String, String> auditModParams)
+                     throws Exception {
++        String method = "TPSService:setTokenStatus: ";
++        String msg = "";
++
++        List<String> authorizedProfiles = getAuthorizedProfiles();
++        if (authorizedProfiles == null) {
++            msg = "authorizedProfiles null";
++            CMS.debug(method + msg);
++            throw new PKIException(method + msg);
++        }
++        String type = tokenRecord.getType();
++        // if token not associated with any keyType/profile, disallow access,
++        // unless the user has the "ALL_PROFILES" privilege
++        if (!authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
++            if (((type == null) || type.isEmpty()) || !authorizedProfiles.contains(type))
++               throw new PKIException(method + "Token record restricted");
++        }
++
+         TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+         IConfigStore config = CMS.getConfigStore();
+ 
+-- 
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index a1cb8c2..d1f47c3 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -65,13 +65,13 @@
 Name:             pki-core
 %if 0%{?rhel}
 Version:                10.5.18
-%define redhat_release  24
+%define redhat_release  25
 %define redhat_stage    0
 #%define default_release %{redhat_release}.%{redhat_stage}
 %define default_release %{redhat_release}
 %else
 Version:                10.5.18
-%define fedora_release  24
+%define fedora_release  25
 %define fedora_stage    0
 #%define default_release %{fedora_release}.%{fedora_stage}
 %define default_release %{fedora_release}
@@ -228,6 +228,7 @@ Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch
 #Patch20: pki-core-rhel-7-9-rhcs-9-7-bu-17.patch
 Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
 Patch22: pki-core-rhel-7-9-rhcs-9-7-bu-19.patch
+Patch23: pki-core-rhel-7-9-rhcs-9-7-bu-21.patch
 
 # Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
 #
@@ -850,6 +851,7 @@ This package is a part of the PKI Core used by the Certificate System.
 #%patch20 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1386,6 +1388,18 @@ fi
 %endif # %{with server}
 
 %changelog
+* Fri Feb 10 2023 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-25
+- ##########################################################################
+- # RHEL 7.9 (Batch Update 21):
+- ##########################################################################
+- Bugzilla Bug #2160355 - RA Separation by KeyType - Set Token Status
+  [RHCS 9.7 bu 21] (cfu, ckelley)
+- ##########################################################################
+- # RHCS 9.7 (Batch Update 21):
+- ##########################################################################
+- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
+  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
+
 * Wed Oct 26 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-24
 - ##########################################################################
 - # RHEL 7.9 (Batch Update 19):