CVE-2025-66210 is an OS command injection vulnerability classified under CWE-78, discovered in the open-source server management tool Coolify by coollabsio. The vulnerability exists in versions prior to 4.0.0-beta.451 within the Database Import feature. Specifically, when importing databases, the database names are incorporated directly into shell commands without proper sanitization or neutralization of special characters. This improper handling allows an authenticated user with application or service management permissions to inject arbitrary shell commands. Because these commands are executed with root privileges on the managed servers, an attacker can achieve full remote code execution (RCE). The vulnerability does not require user interaction and can be exploited remotely over the network, assuming the attacker has the necessary management permissions within the application. The flaw is critical due to the combination of ease of exploitation (no user interaction, low attack complexity) and the high impact on confidentiality, integrity, and availability of the affected systems. The vulnerability was publicly disclosed on December 23, 2025, with a CVSS 4.0 score of 9.4, indicating critical severity. The fix was introduced in version 4.0.0-beta.451 by sanitizing inputs to prevent command injection. No known exploits in the wild have been reported yet, but the potential for severe damage is significant given the root-level access granted upon exploitation.

For European organizations, the impact of CVE-2025-66210 can be severe. Coolify is used for managing servers, applications, and databases, often in DevOps and cloud environments. Exploitation allows attackers to execute arbitrary commands as root, potentially leading to full system compromise, data theft, service disruption, or lateral movement within networks. This could result in loss of sensitive data, downtime of critical services, and damage to organizational reputation. Given the root-level access, attackers could implant persistent backdoors or disrupt operations extensively. Organizations relying on Coolify for managing production environments or critical infrastructure are particularly vulnerable. The risk is amplified in sectors with strict data protection regulations such as finance, healthcare, and government. Additionally, the vulnerability could be leveraged to bypass security controls or escalate privileges further within enterprise environments.

To mitigate this vulnerability, European organizations should immediately upgrade Coolify to version 4.0.0-beta.451 or later, where the issue is fixed. Until the upgrade can be applied, restrict application/service management permissions to only trusted administrators and monitor for unusual command execution or system behavior. Implement network segmentation to limit access to Coolify management interfaces and enforce strong authentication and authorization controls. Employ application-layer firewalls or intrusion detection systems to detect anomalous command injection attempts. Regularly audit and review logs related to database import operations and shell command executions. Additionally, consider isolating Coolify-managed servers in hardened environments with minimal privileges and ensure that backups are current to enable recovery in case of compromise. Educate administrators about the risks of command injection and the importance of input validation in custom scripts or integrations.