CVE-2025-66209 is an OS command injection vulnerability classified under CWE-78 affecting Coolify, an open-source and self-hostable tool designed for managing servers, applications, and databases. The vulnerability is located in the Database Backup feature prior to version 4.0.0-beta.451. Specifically, the application passes database names directly into shell commands without proper sanitization or escaping, allowing an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands execute with root privileges on the managed servers, an attacker can achieve full remote code execution, compromising confidentiality, integrity, and availability of the systems. The vulnerability does not require user interaction beyond authentication and has a CVSS 4.0 score of 9.4, reflecting its critical severity. The flaw arises from improper neutralization of special elements in OS commands, a common and dangerous injection vector. Although no public exploits are currently known, the vulnerability’s nature and privilege level make it a high-risk issue. The vendor addressed the vulnerability in version 4.0.0-beta.451 by implementing proper input validation and sanitization to prevent command injection. Organizations using vulnerable versions should upgrade immediately and audit permissions to limit exposure.

For European organizations, this vulnerability poses a severe risk due to the potential for full system compromise on servers managed by Coolify. Attackers exploiting this flaw can execute arbitrary commands as root, leading to data theft, service disruption, ransomware deployment, or lateral movement within networks. Critical infrastructure, financial institutions, and enterprises relying on Coolify for database and application management could face significant operational and reputational damage. The ease of exploitation combined with high privileges means that even insiders or compromised accounts with limited permissions can escalate attacks rapidly. Given the open-source nature of Coolify, organizations using customized or self-hosted deployments may be unaware of the vulnerability, increasing exposure. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the criticality demands urgent patching and monitoring to prevent potential targeted attacks in Europe.

1. Immediately upgrade all Coolify instances to version 4.0.0-beta.451 or later where the vulnerability is fixed. 2. Restrict application and service management permissions strictly to trusted administrators to reduce the risk of exploitation by unauthorized users. 3. Implement network segmentation and access controls to limit exposure of Coolify management interfaces to only necessary personnel and systems. 4. Conduct thorough audits of existing database names and configuration inputs to ensure no malicious payloads are present. 5. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect anomalous command executions on managed servers. 6. Monitor logs for unusual shell command activity or privilege escalations related to Coolify-managed servers. 7. Educate administrators on the risks of command injection and enforce secure coding and configuration practices in self-hosted environments. 8. Consider deploying application-layer firewalls or command whitelisting mechanisms on critical servers to prevent unauthorized command execution. 9. Maintain an incident response plan tailored to potential exploitation scenarios involving Coolify. 10. Stay updated on threat intelligence feeds for any emerging exploits targeting this vulnerability.