CVE-2025-66378 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting Pexip Infinity versions 38.0 and 38.1 before 39.0. The flaw resides in the RTMP (Real-Time Messaging Protocol) implementation, specifically in the access control mechanisms governing RTMP streams traversing a Proxy Node. Due to insufficient authorization checks, an attacker with network access can forcibly disconnect RTMP streams without requiring any privileges or user interaction. This results in a denial-of-service condition affecting the availability of video streams. The vulnerability does not impact confidentiality or integrity, as it does not allow data leakage or modification. The CVSS 3.1 base score is 5.9, reflecting a medium severity level, with attack vector as network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). No known exploits are currently reported in the wild, and no patches are listed yet, indicating the need for proactive mitigation. Organizations using Pexip Infinity for video conferencing and streaming should be aware of the risk of service disruption caused by this vulnerability, especially in environments where RTMP streams are critical for communication.

The primary impact of CVE-2025-66378 is on the availability of RTMP streams within Pexip Infinity deployments. For European organizations, this can translate into disruption of video conferencing and streaming services, potentially affecting business continuity, remote collaboration, and critical communications. Sectors such as government, finance, healthcare, and large enterprises relying on Pexip for secure and reliable video communications may experience operational interruptions. Although confidentiality and integrity are not directly affected, the denial-of-service nature of the vulnerability could be leveraged in targeted attacks to degrade organizational communication capabilities. This is particularly concerning for organizations with distributed workforces or those conducting sensitive meetings over RTMP streams. The lack of authentication requirement lowers the barrier for exploitation, increasing the risk of opportunistic attacks from external threat actors. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation once the vulnerability becomes widely known.

To mitigate CVE-2025-66378, organizations should prioritize upgrading Pexip Infinity to version 39.0 or later once the patch is released, as this will address the insufficient access control in the RTMP implementation. Until a patch is available, network-level controls should be enforced to restrict access to Proxy Nodes handling RTMP streams, limiting exposure to trusted internal networks and known IP addresses. Implementing network segmentation and firewall rules to block unauthorized traffic to RTMP Proxy Nodes can reduce the attack surface. Monitoring network traffic for unusual RTMP disconnect requests or anomalies may help detect exploitation attempts. Additionally, organizations should review and tighten access control policies around video streaming infrastructure and consider alternative secure streaming protocols if feasible. Regularly updating and auditing Pexip Infinity configurations and maintaining an incident response plan for video conferencing disruptions will further enhance resilience against this vulnerability.