CVE-2025-66449 is a path traversal vulnerability (CWE-22) affecting C4illin's ConvertX, a self-hosted online file converter. In versions before 0.16.0, the /upload endpoint improperly handles the filename parameter supplied by authenticated users, failing to sanitize or restrict the pathname. This flaw allows attackers to write files outside the intended upload directory, including overwriting system binaries. By replacing critical executables with malicious payloads, attackers can achieve arbitrary code execution with the privileges of the ConvertX service. The vulnerability also relates to CWE-73 (External Control of File Name or Path) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Exploitation requires valid authentication but no further user interaction, making it a significant risk in environments where user credentials can be compromised or are shared. The vendor released version 0.16.0 to patch this issue by implementing proper filename sanitization and path restrictions. Although no known exploits are currently reported in the wild, the high CVSS score (8.8) indicates a critical risk if exploited. The vulnerability impacts confidentiality, integrity, and availability, as attackers can fully control affected systems, potentially leading to data theft, system manipulation, or denial of service.

For European organizations, this vulnerability poses a severe threat especially to those deploying ConvertX in production environments for file conversion services. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary code, manipulate or steal sensitive data, disrupt services, and potentially pivot to other internal systems. Industries such as finance, healthcare, government, and critical infrastructure that rely on self-hosted file conversion tools are particularly at risk. The requirement for authentication limits exposure but does not eliminate risk, as credential theft or insider threats could enable exploitation. Additionally, the ability to overwrite system binaries elevates the attack impact beyond typical file upload vulnerabilities, potentially allowing persistent and stealthy control over affected systems. This could result in regulatory non-compliance, financial losses, reputational damage, and operational downtime.

European organizations should immediately upgrade all ConvertX instances to version 0.16.0 or later to apply the official patch. Until upgrade, implement strict input validation and sanitization on the filename parameter at the application or web server level to prevent path traversal. Restrict file system permissions for the ConvertX service account to limit write access only to necessary directories, preventing overwriting of critical binaries. Employ application-layer firewalls or intrusion detection systems to monitor and block suspicious upload requests. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce risk of credential compromise. Regularly audit file integrity on servers hosting ConvertX to detect unauthorized changes. Additionally, segment the network to isolate file conversion services from sensitive systems and maintain up-to-date backups to enable recovery from potential compromise.