CVE-2025-66489 is a critical vulnerability affecting cal.com, an open-source scheduling software widely used for managing appointments and user authentication. The flaw is rooted in CWE-303, which pertains to incorrect implementation of authentication algorithms. Specifically, in versions prior to 5.9.8, the login credentials provider contains problematic conditional logic that allows an attacker to bypass password verification if they provide a valid Time-based One-Time Password (TOTP) code. This means that the system incorrectly trusts the TOTP code alone without verifying the associated password, effectively allowing unauthorized users to gain access to accounts by supplying only the TOTP. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it highly accessible to attackers. The CVSS 4.0 score of 9.9 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability of user accounts and potentially the broader system. Although no public exploits have been reported yet, the vulnerability's nature suggests that exploitation could lead to full account compromise, unauthorized data access, and potential lateral movement within affected environments. The issue was addressed and fixed in cal.com version 5.9.8 by correcting the authentication logic to ensure both password and TOTP verification are properly enforced. Organizations using cal.com versions earlier than 5.9.8 should prioritize upgrading to mitigate this risk.

For European organizations, this vulnerability poses a significant threat to the security of user accounts and sensitive scheduling data. Unauthorized access could lead to data breaches, manipulation of appointments, exposure of personal information, and potential disruption of business operations. Organizations that integrate cal.com into their digital workflows, especially those handling sensitive client or employee data, face risks to confidentiality and integrity. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, potentially enabling threat actors to impersonate legitimate users or escalate privileges. This could also facilitate further attacks within the network, including data exfiltration or ransomware deployment. The impact is particularly critical for sectors such as healthcare, finance, and government services in Europe, where scheduling systems often handle sensitive or regulated information. Additionally, reputational damage and regulatory penalties under GDPR could result from exploitation of this vulnerability.

Immediate patching to cal.com version 5.9.8 or later is the primary and most effective mitigation step. Organizations should audit their current cal.com deployments to identify affected versions and prioritize upgrades. Beyond patching, reviewing and strengthening authentication mechanisms is advised, including enforcing multi-factor authentication policies that do not rely solely on TOTP codes without password verification. Monitoring authentication logs for unusual patterns, such as successful logins with atypical credential combinations, can help detect exploitation attempts. Implementing network segmentation and limiting access to scheduling systems can reduce exposure. Additionally, organizations should educate users about potential phishing attempts that might leverage this vulnerability and ensure incident response plans are updated to address potential account compromises. For environments where immediate patching is not feasible, temporary mitigations could include disabling TOTP-based logins or restricting access to trusted IP ranges until the patch is applied.