CVE-2025-59683 identifies an improper authorization vulnerability (CWE-863) in Pexip Infinity's Secure Scheduler for Exchange service, specifically when integrated with Office 365 Legacy Exchange Tokens. The affected versions range from 15.0 through 38.0 before 38.1. The flaw arises because the service does not correctly enforce access control policies, allowing remote attackers to bypass authorization checks. This enables attackers to read sensitive scheduling data that should be protected and to excessively consume system resources, potentially causing denial of service (DoS). The vulnerability is exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score of 8.2 reflects the high impact on availability and moderate impact on confidentiality, with low attack complexity and no prerequisites. Although no public exploits have been reported, the vulnerability's nature and ease of exploitation make it a critical concern for organizations using Pexip Infinity integrated with legacy Office 365 tokens. The root cause is the incorrect implementation of authorization logic in the Secure Scheduler component, which fails to validate whether the requesting entity has the appropriate permissions to access or manipulate scheduling data. This can lead to unauthorized data disclosure and resource exhaustion, disrupting service availability.

For European organizations, the impact of CVE-2025-59683 can be significant, particularly for those relying on Pexip Infinity for video conferencing and scheduling integrated with Office 365 environments. Unauthorized access to scheduling data could expose sensitive meeting details, participant information, and internal communications, potentially leading to privacy violations and information leakage. The denial of service aspect could disrupt critical communication infrastructure, affecting business continuity and operational efficiency. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, where secure communications are paramount, may face heightened risks. Additionally, the exploitation of this vulnerability could be leveraged as part of broader attack campaigns targeting collaboration platforms. The lack of authentication requirements and ease of exploitation increase the likelihood of attacks, potentially impacting a wide range of organizations across Europe. Resource exhaustion attacks could degrade service performance or cause outages, impacting user productivity and trust in the platform.

To mitigate CVE-2025-59683, organizations should immediately upgrade Pexip Infinity to version 38.1 or later, where the vulnerability has been addressed. If upgrading is not immediately feasible, organizations should disable or restrict the use of the Secure Scheduler for Exchange service, especially when using Office 365 Legacy Exchange Tokens. Reviewing and phasing out legacy token usage in favor of modern authentication mechanisms (e.g., OAuth 2.0) can reduce exposure. Network-level controls such as IP whitelisting and segmentation can limit access to the affected service. Implementing strict monitoring and alerting for unusual resource consumption or unauthorized access attempts on the scheduler service is recommended. Additionally, organizations should audit their scheduling data access logs to detect potential unauthorized activities. Coordinating with Pexip support and following vendor advisories will ensure timely application of patches and best practices. Finally, educating IT and security teams about this vulnerability and its exploitation vectors will enhance preparedness and response capabilities.