CVE-2025-66378 is an authorization vulnerability classified under CWE-863 found in Pexip Infinity versions 38.0 and 38.1 before 39.0. The flaw resides in the RTMP (Real-Time Messaging Protocol) implementation, specifically in the handling of streams traversing a Proxy Node. Due to insufficient access control, an unauthenticated attacker can send crafted requests to disconnect active RTMP streams, effectively causing a denial of service by interrupting video or audio streams. The vulnerability does not expose confidential data nor allow modification of stream content, but it impacts the availability of streaming services. The attack vector is network-based (AV:N), with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), and the impact is limited to availability (A:H) without affecting confidentiality or integrity. No known exploits are reported in the wild yet. The vulnerability was reserved on 2025-11-28 and published on 2025-12-25. Pexip Infinity is widely used for enterprise video conferencing and streaming, making this vulnerability relevant for organizations relying on these services for communication and collaboration.

For European organizations, this vulnerability could disrupt critical communication channels, especially in sectors relying heavily on video conferencing such as finance, government, healthcare, and education. The ability of an attacker to disconnect RTMP streams could lead to denial of service during important meetings or broadcasts, causing operational delays and potential reputational damage. Although no data breach or integrity compromise occurs, the availability impact can affect business continuity and remote collaboration efficiency. Organizations using Pexip Infinity Proxy Nodes exposed to untrusted networks are particularly vulnerable. The medium severity rating reflects the limited scope of impact but acknowledges the importance of uninterrupted communication in modern enterprises. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

To mitigate this vulnerability, organizations should upgrade Pexip Infinity to version 39.0 or later once the patch is released by the vendor. Until then, network-level controls should be enforced to restrict access to Proxy Nodes, limiting exposure to trusted internal networks only. Implementing firewall rules or VPN access can reduce the attack surface. Monitoring RTMP stream stability and logging unusual disconnection events can help detect exploitation attempts. Additionally, organizations should review and harden access control policies around streaming infrastructure and consider segmenting video conferencing components from general network traffic. Regularly updating and patching Pexip Infinity and related components is critical. Engaging with Pexip support for interim mitigations or workarounds is recommended if patching is delayed.