CVE-2025-66443 is a vulnerability classified under CWE-617 (Reachable Assertion) found in Pexip Infinity versions 35.0 through 38.1 before 39.0. The issue arises in non-default configurations that enable Direct Media for WebRTC, a feature that allows media streams to be sent directly between endpoints rather than routed through a central server. The vulnerability is due to improper input validation in the signalling process, which is responsible for establishing and managing WebRTC sessions. An attacker can send specially crafted signalling messages that trigger an assertion failure within the software. Assertions are sanity checks in code that, when failed, cause the program to abort to prevent further damage or undefined behavior. In this case, the assertion failure leads to a software abort, resulting in a temporary denial of service by crashing or stopping the affected service. The vulnerability can be exploited remotely without authentication or user interaction, making it relatively easy for attackers to disrupt service availability. Although the vulnerability does not compromise confidentiality or integrity, the denial of service impact can disrupt critical video conferencing and communication services. No public exploits have been reported yet, but the CVSS v3.1 base score of 7.5 reflects the high impact on availability and ease of exploitation. The vulnerability was reserved on December 1, 2025, and published on December 25, 2025. Pexip Infinity is widely used in enterprise and government sectors for secure video conferencing, making this vulnerability significant for organizations relying on real-time communications.

The primary impact of CVE-2025-66443 is a denial of service condition affecting the availability of Pexip Infinity video conferencing services. For European organizations, this can disrupt critical communication channels used for remote collaboration, virtual meetings, and secure conferencing, especially in sectors such as government, healthcare, finance, and large enterprises. Temporary service outages can lead to operational delays, reduced productivity, and potential reputational damage. Since the vulnerability can be exploited remotely without authentication, attackers can cause service interruptions at scale or target specific organizations. The lack of impact on confidentiality and integrity limits risks related to data breaches or manipulation, but availability disruptions in communication infrastructure can indirectly affect business continuity and incident response capabilities. Organizations using non-default Direct Media configurations are specifically at risk, which may include setups optimized for performance or compliance with certain network policies. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

To mitigate CVE-2025-66443, organizations should promptly upgrade Pexip Infinity to version 39.0 or later, where the vulnerability has been addressed. If immediate upgrade is not feasible, review and consider disabling the non-default Direct Media configuration for WebRTC to prevent exposure to the vulnerable code path. Network-level protections such as firewall rules and intrusion detection/prevention systems should be configured to monitor and restrict suspicious signalling traffic to the Pexip Infinity servers. Implement strict access controls and network segmentation to limit exposure of the conferencing infrastructure to untrusted networks. Regularly monitor system logs and service health indicators for signs of crashes or abnormal terminations that may indicate exploitation attempts. Engage with Pexip support and subscribe to security advisories for updates on patches and recommended configurations. Additionally, conduct internal security assessments and penetration tests focusing on WebRTC signalling to identify potential weaknesses. Document and rehearse incident response procedures to quickly recover from potential denial of service incidents affecting communication services.