CVE-2025-66377 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Pexip Infinity, a widely used video conferencing and collaboration platform. The flaw exists in a product-internal API that lacks proper authentication controls, allowing an attacker who already has code execution privileges on one node within a Pexip Infinity installation to manipulate or disrupt other nodes in the same deployment. This lateral movement capability can lead to a full compromise of the multi-node environment, impacting confidentiality, integrity, and availability of communications and data handled by the platform. The vulnerability is rated with a CVSS 3.1 score of 7.5, reflecting high impact but requiring local or network access with high attack complexity and no privileges required beyond initial code execution. The absence of user interaction simplifies exploitation once initial access is obtained. Although no public exploits are currently known, the critical nature of the internal API and the potential for cascading effects across nodes make this a significant threat. The vulnerability affects all versions prior to 39.0, with no patches publicly available at the time of reporting. Organizations relying on Pexip Infinity should be aware that this vulnerability can be exploited to disrupt or take control of their video conferencing infrastructure, potentially leading to data leakage, service disruption, or further network compromise.

For European organizations, the impact of CVE-2025-66377 is substantial due to the widespread use of Pexip Infinity in enterprise and government sectors for secure communications. Exploitation could allow attackers to move laterally within a Pexip deployment, compromising multiple nodes and thereby undermining the confidentiality and integrity of sensitive communications. This could lead to unauthorized data access, interception of confidential meetings, and disruption of critical collaboration services. The availability of the conferencing platform could also be degraded or denied, impacting business continuity and operational efficiency. Given the high reliance on secure video conferencing in sectors such as finance, healthcare, public administration, and critical infrastructure, the vulnerability poses a risk of significant operational and reputational damage. Additionally, the potential for attackers to leverage this vulnerability as a foothold for broader network intrusion elevates the threat level. European organizations with multi-node Pexip Infinity deployments are particularly vulnerable, as the flaw enables compromise beyond a single node, increasing the scope and severity of potential attacks.

To mitigate CVE-2025-66377, European organizations should implement the following specific measures: 1) Immediately restrict administrative and code execution access to Pexip Infinity nodes through strict access controls and network segmentation, limiting exposure to trusted internal networks only. 2) Monitor internal API traffic between nodes for anomalous or unauthorized requests that could indicate exploitation attempts. 3) Harden the environment by disabling unnecessary internal APIs or services where feasible until patches are available. 4) Employ host-based intrusion detection and endpoint protection solutions on Pexip nodes to detect and prevent unauthorized code execution. 5) Maintain rigorous patch management practices and apply vendor updates promptly once a fix for this vulnerability is released. 6) Conduct regular security audits and penetration tests focused on lateral movement and internal API security within Pexip deployments. 7) Educate IT and security teams on the specific risks associated with internal API authentication weaknesses to improve detection and response capabilities. These targeted actions go beyond generic advice by focusing on internal network controls, monitoring, and proactive defense tailored to the multi-node architecture of Pexip Infinity.