CVE-2025-64420 is a critical security vulnerability affecting Coolify, an open-source, self-hostable platform used for managing servers, applications, and databases. In versions up to and including 4.0.0-beta.434, the vulnerability allows low privileged users to access the private SSH key of the root user on the Coolify instance. This key exposure enables attackers to authenticate as root via SSH, granting full administrative control over the underlying server. The root cause is insufficient protection of sensitive credentials (CWE-522), where the private key is improperly stored or accessible to unauthorized users within the application environment. The vulnerability is remotely exploitable without user interaction and requires only low privilege access, significantly lowering the barrier for attackers. The impact is severe, compromising confidentiality (exposure of private keys), integrity (full system control), and availability (potential for destructive actions). No official patch has been released at the time of publication, and no active exploits have been reported, though the risk remains high due to the ease of exploitation and critical access gained. This vulnerability affects all deployments of Coolify up to the specified version, especially those exposed to multiple users or untrusted environments. Organizations relying on Coolify for infrastructure management must consider this vulnerability a critical threat to their operational security.

For European organizations, the impact of CVE-2025-64420 is substantial. Unauthorized root access via exposed private keys can lead to complete system compromise, data breaches, service disruptions, and potential lateral movement within networks. Organizations managing critical infrastructure, sensitive data, or regulated environments face heightened risks including compliance violations (e.g., GDPR), reputational damage, and financial losses. The vulnerability undermines trust in server management processes and could facilitate advanced persistent threats if exploited by sophisticated attackers. Given Coolify's role in managing servers and databases, exploitation could disrupt essential services or lead to data exfiltration. The lack of a patch increases exposure duration, necessitating immediate compensating controls. European entities with multi-user access to Coolify instances or those hosting it in shared or cloud environments are particularly vulnerable. The critical CVSS score reflects the high likelihood of severe operational impact.

1. Immediately restrict access to Coolify instances to trusted administrators only, removing or limiting low privileged user accounts. 2. Isolate Coolify deployments within segmented network zones to reduce exposure. 3. Implement strict file system permissions to prevent unauthorized access to private keys and sensitive files. 4. Monitor SSH logs and authentication attempts for unusual root login activity, enabling rapid detection of exploitation. 5. Use multi-factor authentication (MFA) for all administrative access where possible to add an additional security layer. 6. Consider temporarily disabling Coolify or migrating critical workloads until a patch is released. 7. Regularly audit Coolify configurations and user privileges to ensure least privilege principles are enforced. 8. Stay informed on vendor updates and apply patches promptly once available. 9. Employ host-based intrusion detection systems (HIDS) to alert on unauthorized file access or privilege escalations. 10. Educate users about the risks and signs of compromise related to this vulnerability.