CVE-2025-66443 is a vulnerability classified under CWE-617 (Reachable Assertion) affecting Pexip Infinity versions 35.0 through 38.1 before 39.0. The issue arises in non-default configurations that enable Direct Media for WebRTC, where improper input validation in the signalling protocol allows an attacker to send crafted signalling messages that trigger an assertion failure within the software. This assertion failure causes the Pexip Infinity service to abort unexpectedly, leading to a temporary denial of service condition. The vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, and no required privileges or user interaction. The impact is limited to availability, with no direct confidentiality or integrity compromise. No public exploits or patches are currently available, though the vendor has reserved the CVE and plans to address it in version 39.0. Pexip Infinity is widely used in enterprise video conferencing and collaboration, particularly in environments leveraging WebRTC for direct media streams, making this vulnerability a significant risk for service continuity.

For European organizations, the primary impact of CVE-2025-66443 is the potential disruption of real-time communication services relying on Pexip Infinity with Direct Media for WebRTC enabled. This can affect business continuity, especially for sectors dependent on video conferencing for remote work, customer interactions, and collaboration. Temporary denial of service could interrupt meetings, delay decision-making, and degrade user experience. While confidentiality and integrity are not directly affected, the availability impact can indirectly affect operational security and trust. Organizations in finance, government, healthcare, and critical infrastructure sectors are particularly vulnerable due to their reliance on uninterrupted communication channels. The lack of required authentication and ease of exploitation increase the risk of opportunistic attacks or targeted disruptions by threat actors. Additionally, the absence of known exploits in the wild currently provides a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2025-66443, European organizations should prioritize upgrading Pexip Infinity to version 39.0 or later once the patch is released by the vendor. Until then, disabling the Direct Media feature for WebRTC in the signalling configuration can prevent exploitation by removing the vulnerable code path. Network-level controls such as firewall rules and intrusion detection systems should be configured to monitor and restrict suspicious signalling traffic to Pexip Infinity servers. Implementing rate limiting and anomaly detection on signalling messages can help detect and block attempts to trigger the assertion failure. Organizations should also conduct thorough configuration reviews to ensure non-default settings do not expose unnecessary attack surfaces. Regular backups and failover mechanisms for Pexip services can reduce downtime impact. Finally, maintaining close communication with the vendor for timely updates and applying security advisories promptly is essential.