CVE-2025-66022 is a critical vulnerability affecting the Faction PenTesting Report Generation and Collaboration Framework, specifically versions before 1.7.1. The root cause is the inclusion of functionality from an untrusted control sphere (CWE-829) combined with a missing authentication check (CWE-287) on the /portal/AppStoreDashboard endpoint. This endpoint allows unauthenticated users to access the extension management UI, enabling them to upload malicious extensions. These extensions exploit the extension framework’s lifecycle hooks to execute arbitrary system commands on the host server, resulting in remote code execution (RCE). The vulnerability is severe because it requires no authentication (AV:N/AC:L/PR:N), though it requires user interaction (UI:R) to trigger the malicious code execution. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The impact on confidentiality, integrity, and availability is high, as attackers can execute arbitrary commands, potentially leading to full system compromise. Although no known exploits are currently reported in the wild, the high CVSS score of 9.7 reflects the critical nature of this flaw. The vendor has released version 1.7.1 to patch this issue, addressing both the authentication bypass and the insecure extension execution path.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Faction for penetration testing report generation and collaboration. Successful exploitation can lead to full system compromise, exposing sensitive penetration testing data, internal network information, and potentially enabling lateral movement within the network. The loss of confidentiality could reveal critical security assessments, while integrity and availability impacts could disrupt security operations and damage trust in security processes. Given the unauthenticated nature of the exploit, attackers can remotely compromise vulnerable servers without prior access, increasing the attack surface. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, face heightened risks of regulatory penalties and reputational damage. Additionally, the collaborative nature of Faction means multiple users and teams could be affected, amplifying the potential damage.

Immediate upgrade to Faction version 1.7.1 or later is the primary mitigation step to remediate this vulnerability. Until patching is possible, organizations should restrict network access to the /portal/AppStoreDashboard endpoint using firewalls or web application firewalls (WAFs) to prevent unauthenticated access. Implement strict access controls and network segmentation to isolate systems running Faction from untrusted networks. Monitor logs and network traffic for unusual activity related to extension uploads or lifecycle hook invocations. Employ application-layer intrusion detection systems to detect attempts to exploit this vulnerability. Conduct regular audits of installed extensions to identify and remove any unauthorized or suspicious components. Educate security teams about this vulnerability to ensure rapid detection and response. Finally, consider deploying endpoint detection and response (EDR) solutions on servers hosting Faction to detect and contain potential exploitation attempts.