CVE-2025-58066 is a medium-severity denial of service (DoS) vulnerability affecting the pendulum-project's ntpd-rs software, versions 1.2.0 through 1.6.1 inclusive. ntpd-rs is an implementation of the Network Time Protocol (NTP) and Network Time Security (NTS) protocols used to synchronize computer clocks. The vulnerability arises from insufficient control of network message volume (CWE-406), specifically in servers configured to allow non-NTS traffic. An attacker can exploit this flaw by inducing a message amplification or storm between two vulnerable NTP servers running ntpd-rs, causing excessive network traffic and resource consumption. This can lead to degraded service or outages of the affected NTP servers. Client-only configurations of ntpd-rs are not impacted, as the vulnerability requires server functionality that accepts non-NTS traffic. The CVSS v3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild. The recommended remediation is to upgrade affected ntpd-rs servers to version 1.6.2, which addresses this issue by implementing proper network message volume controls to prevent amplification attacks.

For European organizations relying on ntpd-rs servers for time synchronization, this vulnerability poses a risk of denial of service, potentially disrupting critical time-dependent services such as logging, authentication, financial transactions, and network coordination. Disruption of NTP services can cascade to affect systems that depend on accurate time, including security protocols and compliance monitoring. The amplification nature of the attack could also be leveraged to amplify network traffic, potentially impacting network infrastructure and causing broader service degradation. Although the vulnerability does not compromise confidentiality or integrity, availability impacts can be significant, especially for sectors with stringent uptime requirements such as finance, telecommunications, and critical infrastructure. Given the medium severity and lack of known exploits, the immediate risk is moderate but warrants prompt patching to prevent exploitation as awareness grows.

European organizations should prioritize upgrading all ntpd-rs server instances to version 1.6.2 or later to eliminate the vulnerability. Network administrators should audit their NTP server configurations to ensure that non-NTS traffic is either disabled or properly filtered, reducing exposure to amplification attacks. Implementing rate limiting and traffic shaping on NTP ports (UDP 123) at network perimeter devices can help mitigate potential message storms. Monitoring network traffic for unusual spikes in NTP-related packets can provide early detection of exploitation attempts. Additionally, organizations should consider segmenting NTP servers from general network traffic and restricting access to trusted clients only. Regular vulnerability scanning and patch management processes should be enforced to maintain up-to-date software versions and configurations.