CVE-2025-66377 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Pexip Infinity versions prior to 39.0. The flaw resides in a product-internal API that lacks proper authentication controls, allowing an attacker who already has code execution capabilities on one node within a Pexip Infinity cluster to manipulate or disrupt other nodes in the installation. This vulnerability does not allow initial compromise but enables lateral movement and escalation within the environment. The attack vector is adjacent network access, meaning the attacker must be on the same network segment or have some level of network access to the internal APIs. The CVSS v3.1 base score is 7.5, reflecting high severity due to the high impact on confidentiality, integrity, and availability, combined with the requirement of high attack complexity and no privileges or user interaction needed. The vulnerability could allow attackers to disrupt video conferencing services, intercept or alter communications, or cause denial of service across multiple nodes, severely impacting organizational operations. No public exploits have been reported yet, but the potential for abuse in environments relying heavily on Pexip Infinity for critical communications is significant. The lack of authentication on internal APIs is a critical design flaw that should be addressed by implementing robust access controls and authentication mechanisms. Since Pexip Infinity is often deployed in clustered environments for scalability and redundancy, this vulnerability undermines the security assumptions of node isolation and trust within the cluster.

For European organizations, the impact of CVE-2025-66377 can be substantial, especially for sectors relying on Pexip Infinity for secure video conferencing and collaboration, such as government agencies, healthcare, finance, and critical infrastructure. Exploitation could lead to unauthorized access to sensitive communications, disruption of critical meetings, and potential data leakage or manipulation. The ability of an attacker to move laterally within the Pexip cluster increases the risk of widespread service disruption and complicates incident response efforts. Given the high confidentiality, integrity, and availability impacts, organizations could face operational downtime, reputational damage, and regulatory consequences under GDPR if personal data is compromised. The vulnerability also raises concerns for organizations implementing hybrid or multi-node deployments across different geographic locations, as cross-node attacks could propagate across national boundaries within the same infrastructure. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score indicates that attackers with internal access could exploit this flaw to significant effect.

1. Immediately restrict network access to Pexip Infinity internal APIs to trusted management networks only, using network segmentation and firewall rules to limit lateral movement. 2. Monitor internal API traffic for unusual patterns or unauthorized requests indicative of exploitation attempts. 3. Deploy host-based intrusion detection systems (HIDS) on Pexip nodes to detect unauthorized code execution or privilege escalation activities. 4. Apply vendor patches or updates as soon as they become available for Pexip Infinity version 39.0 or later, which address this authentication flaw. 5. Implement strict access controls and authentication mechanisms on internal APIs, including mutual TLS or token-based authentication, to prevent unauthorized use. 6. Conduct regular security audits and penetration tests focusing on internal API security and node-to-node communication within the Pexip cluster. 7. Educate system administrators on the risks of lateral movement and the importance of securing internal network segments. 8. Consider deploying network anomaly detection tools to identify suspicious intra-cluster communications. 9. Maintain an incident response plan that includes scenarios involving internal API compromise and lateral movement within clustered services.