CVE-2025-66022 is a critical vulnerability in the Faction PenTesting Report Generation and Collaboration Framework, specifically affecting versions prior to 1.7.1. The root cause is an insecure extension execution path within Faction’s extension framework that permits untrusted extension code to execute arbitrary system commands on the host server. This is compounded by a missing authentication check on the /portal/AppStoreDashboard endpoint, which allows unauthenticated attackers to access the extension management UI. Through this interface, attackers can upload malicious extensions that execute arbitrary code during lifecycle hook invocations, resulting in remote code execution (RCE) on the server. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and CWE-287 (Improper Authentication). The CVSS v3.1 score of 9.7 indicates a critical severity with network attack vector, no privileges required, low attack complexity, and user interaction required, but with a scope change and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the vulnerability’s characteristics make it highly exploitable. The vendor has addressed the issue in version 1.7.1 by implementing proper authentication checks and securing the extension execution path. Organizations running vulnerable versions are at risk of full system compromise, data breaches, and disruption of services.

For European organizations, the impact of CVE-2025-66022 can be severe. Since Faction is used for penetration testing report generation and collaboration, a successful exploit could lead to unauthorized access to sensitive security assessment data, intellectual property, and internal network information. The remote code execution capability allows attackers to execute arbitrary commands on the host, potentially leading to full system compromise, lateral movement within networks, data exfiltration, and disruption of critical security operations. This could undermine trust in security teams and expose organizations to regulatory penalties under GDPR due to data breaches. The unauthenticated nature of the exploit increases the risk, as attackers do not need valid credentials or insider access. Organizations relying on Faction for security workflows may face operational downtime and reputational damage if exploited. The threat is particularly relevant for cybersecurity firms, managed security service providers (MSSPs), and enterprises conducting internal or external penetration testing in Europe.

1. Immediately upgrade all Faction installations to version 1.7.1 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, restrict network access to the /portal/AppStoreDashboard endpoint using firewall rules, VPNs, or IP whitelisting to prevent unauthenticated access. 3. Implement strict access controls and monitoring on the extension management interface to detect unauthorized uploads or suspicious activity. 4. Conduct thorough audits of installed extensions to identify and remove any untrusted or unknown extensions. 5. Employ application-layer firewalls or web application firewalls (WAFs) to detect and block malicious requests targeting the extension upload functionality. 6. Regularly review and update authentication and authorization mechanisms for all administrative interfaces. 7. Monitor system logs for unusual command execution patterns or lifecycle hook invocations indicative of exploitation attempts. 8. Educate security teams about this vulnerability and ensure incident response plans include steps for rapid containment and remediation.