CVE-2025-66398 is an OS command injection vulnerability identified in the SignalK signalk-server, a server application commonly deployed on central hubs in boats to manage maritime data. The vulnerability exists in versions prior to 2.19.0 and is triggered via the /skServer/validateBackup endpoint, which does not require authentication. An attacker can exploit this endpoint to pollute the internal state variable restoreFilePath. By manipulating this variable, the attacker hijacks the administrator's Restore functionality, enabling overwriting of critical server configuration files such as security.json and package.json. These files are essential for server security and operation. Overwriting them can lead to account takeover by compromising authentication mechanisms and ultimately allows remote code execution (RCE) on the server. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-913 (Improper Control of Dynamically-Managed Code Resources). The CVSS v3.1 score is 9.7 (critical), reflecting the vulnerability's network attack vector, no required privileges, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the severity and ease of exploitation make it a significant threat. The vendor patched this vulnerability in version 2.19.0, and upgrading to this or later versions is strongly recommended.

For European organizations, particularly those involved in maritime operations such as shipping companies, port authorities, and marine research institutions, this vulnerability poses a severe risk. SignalK servers are used to centralize and manage critical maritime data, including navigation and sensor information. Exploitation could lead to unauthorized access to sensitive operational data, manipulation of vessel control systems, and disruption of maritime operations. The ability to execute remote code could allow attackers to pivot into broader network environments, potentially compromising other critical infrastructure. Given Europe's extensive coastline and reliance on maritime trade, the impact could extend to economic disruption and safety risks. Additionally, compromised systems could be used as a foothold for further attacks against European maritime supply chains and logistics networks.

1. Immediate upgrade of all SignalK signalk-server instances to version 2.19.0 or later to apply the official patch. 2. Restrict network access to the /skServer/validateBackup endpoint by implementing firewall rules or network segmentation, allowing only trusted administrative hosts to communicate with the server. 3. Implement strict monitoring and logging of access to the restore functionality and related endpoints to detect anomalous activity. 4. Conduct regular integrity checks on critical configuration files (security.json, package.json) to detect unauthorized modifications. 5. Employ application-layer firewalls or intrusion detection systems capable of detecting command injection patterns targeting the signalk-server. 6. Educate maritime IT staff about the risks and ensure secure configuration management practices are followed. 7. If upgrading immediately is not feasible, consider disabling the Restore functionality temporarily or applying custom input validation to the vulnerable endpoint as a stopgap measure.