CVE-2025-66208 is an OS command injection vulnerability identified in Collabora Online's built-in CODE Server component, specifically within the richdocumentscode proxy. Collabora Online provides document editing capabilities often integrated with platforms like Nextcloud. Versions prior to 25.04.702 contain a flaw where input passed through proxy.php is not properly sanitized, allowing attackers to inject arbitrary OS commands. This vulnerability is configuration-dependent but can be exploited remotely without authentication or user interaction, leveraging the proxy.php endpoint and potentially an intermediate reverse proxy setup. The vulnerability is classified under CWE-78, indicating improper neutralization of special elements in OS commands. Exploitation could lead to remote code execution (RCE), enabling attackers to run arbitrary commands on the host system, potentially leading to full system compromise. The CVSS 4.0 base score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the severity and ease of exploitation make this a critical patching priority. The issue was publicly disclosed on December 3, 2025, and fixed in version 25.04.702 of Collabora Online.

For European organizations, this vulnerability poses a significant risk, especially those deploying Collabora Online integrated with Nextcloud for document collaboration. Successful exploitation could allow attackers to execute arbitrary commands on servers, leading to data theft, service disruption, or lateral movement within networks. Confidentiality could be compromised by unauthorized data access; integrity could be affected by unauthorized modification of documents or system files; availability could be disrupted by service outages or destruction of data. Given the widespread use of Nextcloud and Collabora Online in European public sector, education, and private enterprises, the impact could be broad. Attackers could leverage this vulnerability to target sensitive government or corporate documents, disrupt business operations, or establish persistent footholds. The lack of required authentication and user interaction increases the risk of automated exploitation campaigns. Organizations failing to patch may face regulatory compliance issues under GDPR if personal data is compromised.

European organizations should immediately upgrade Collabora Online to version 25.04.702 or later to remediate this vulnerability. Until patching is possible, administrators should restrict access to the proxy.php endpoint via network controls such as IP whitelisting or firewall rules, especially blocking access from untrusted networks. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns targeting proxy.php can provide temporary protection. Monitoring logs for unusual command execution attempts or proxy.php access patterns is critical for early detection. Organizations should also review and harden the configuration of any intermediate reverse proxies to minimize exposure. Regularly auditing and limiting permissions of the Collabora Online service account can reduce potential damage from exploitation. Finally, integrating vulnerability management processes to ensure timely updates of collaboration software is essential to prevent exploitation of similar future vulnerabilities.