CVE-2025-66209 is an OS command injection vulnerability classified under CWE-78, discovered in the open-source server management tool Coolify by coollabsio. The vulnerability exists in versions prior to 4.0.0-beta.451 within the Database Backup functionality. Specifically, database names used during backup operations are passed directly to shell commands without proper sanitization or neutralization of special characters. This improper handling allows an authenticated user with application or service management permissions to inject arbitrary OS commands, which are executed with root privileges on the managed servers. The exploit does not require user interaction beyond authentication and leverages the application's elevated permissions to achieve full remote code execution. The vulnerability has a CVSS v3.1 base score of 10.0, indicating critical severity with network attack vector, low attack complexity, and privileges required but no user interaction. The scope is changed as the vulnerability affects managed servers beyond the application itself, impacting confidentiality, integrity, and availability of those systems. Although no known exploits in the wild have been reported yet, the critical nature and ease of exploitation make it a significant threat. The issue is resolved in version 4.0.0-beta.451 by properly sanitizing inputs and preventing command injection. Organizations using Coolify for managing servers, applications, and databases must upgrade promptly to mitigate this risk.

For European organizations, the impact of CVE-2025-66209 is severe. The vulnerability allows attackers to execute arbitrary commands as root on managed servers, potentially leading to full system compromise, data theft, destruction, or ransomware deployment. Confidentiality is at risk due to unauthorized access to sensitive data stored on managed databases and servers. Integrity can be compromised by altering or deleting data and configurations, while availability may be disrupted by disabling services or deleting critical files. Organizations relying on Coolify for managing production environments, especially those in finance, healthcare, government, and critical infrastructure sectors, face heightened risks. The ability to escalate privileges and execute commands remotely without user interaction increases the attack surface and potential for lateral movement within networks. Additionally, the vulnerability could be leveraged to establish persistent backdoors or pivot to other internal systems, amplifying the threat. The lack of known exploits in the wild does not diminish the urgency, as public disclosure and the critical CVSS score suggest imminent exploitation attempts.

1. Immediate upgrade to Coolify version 4.0.0-beta.451 or later, which contains the fix for this vulnerability. 2. Restrict application and service management permissions strictly to trusted administrators to reduce the risk of exploitation by unauthorized users. 3. Implement network segmentation and firewall rules to limit access to Coolify management interfaces only to authorized IP addresses and internal networks. 4. Monitor logs and audit trails for unusual command execution or backup operations that could indicate exploitation attempts. 5. Employ host-based intrusion detection systems (HIDS) to detect suspicious root-level command executions on managed servers. 6. Conduct regular security assessments and penetration testing focused on server management tools and backup functionalities. 7. Educate administrators on the risks of command injection vulnerabilities and the importance of input validation and sanitization in custom scripts or integrations. 8. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block injection attacks in real time. 9. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.