CVE-2025-66489 is a critical vulnerability identified in the open-source scheduling software cal.com, affecting all versions prior to 5.9.8. The root cause is an incorrect implementation of the authentication algorithm (CWE-303), specifically in the login credentials provider component. The flaw involves problematic conditional logic that improperly handles the verification of passwords when a Time-based One-Time Password (TOTP) code is presented during login. Instead of requiring both a valid password and TOTP code for multi-factor authentication, the system erroneously allows authentication to succeed if a valid TOTP code is provided, bypassing the password check entirely. This logic error effectively reduces the authentication process to single-factor TOTP validation, which can be exploited by attackers who can generate or intercept valid TOTP codes, or in some cases, by exploiting weaknesses in TOTP generation or delivery mechanisms. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it highly accessible to attackers. The impact is severe, as unauthorized access to user accounts can lead to data breaches, unauthorized actions, and potential compromise of linked systems. The vulnerability has been assigned a CVSS 4.0 base score of 9.9, reflecting its critical nature with high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on December 3, 2025, and fixed in cal.com version 5.9.8. No known exploits have been reported in the wild yet, but the criticality and ease of exploitation necessitate immediate remediation.

For European organizations, this vulnerability poses a significant risk, especially for those using cal.com as part of their scheduling, appointment management, or user authentication workflows. Unauthorized access to user accounts can lead to exposure of sensitive personal and business information, disruption of services, and potential lateral movement within corporate networks. Organizations in sectors such as healthcare, finance, education, and government, which often rely on scheduling software integrated with sensitive data, are particularly vulnerable. The breach of user accounts could facilitate further attacks, including data exfiltration, fraud, and identity theft. Additionally, the trust in multi-factor authentication mechanisms may be undermined, complicating security postures. The critical severity and network exploitability mean attackers can operate remotely without prior access or user interaction, increasing the threat surface. Failure to patch promptly could result in widespread compromise, especially in environments where cal.com is widely deployed or integrated with other critical systems.

Immediate upgrade to cal.com version 5.9.8 or later is the primary and most effective mitigation to address this vulnerability. Organizations should audit their current cal.com deployments to identify affected versions and prioritize patching. In environments where immediate patching is not feasible, temporary mitigations include disabling TOTP-based authentication or enforcing additional authentication checks outside of cal.com, such as integrating external identity providers with robust multi-factor authentication. Monitoring authentication logs for unusual login patterns, especially successful logins with TOTP but failed password attempts, can help detect exploitation attempts. Implement network segmentation and access controls to limit the impact of compromised accounts. Educate users about the importance of securing their TOTP devices and credentials. Finally, conduct regular security assessments and penetration testing to verify the effectiveness of mitigations and detect any residual risks.