CVE-2025-66548 is a vulnerability classified under CWE-116 (Improper Encoding or Escaping of Output) found in Nextcloud Deck, a kanban-style organizational tool integrated with the Nextcloud platform. The vulnerability arises from the improper handling of file names containing Right-to-Left Override (RTLO) Unicode characters. RTLO characters can reverse the display order of characters in file names, enabling an attacker to spoof the file extension shown to the user. For example, a malicious file named 'docx‮exe' could appear as 'exe.docx' in the user interface, misleading users about the true file type. This spoofing can facilitate social engineering attacks by tricking users into opening potentially harmful files they believe to be safe. The vulnerability affects Nextcloud Deck versions prior to 1.12.7, 1.14.4, and 1.15.1. Exploitation requires local access with low privileges and does not require user interaction, but the attacker must be able to upload or place files within the Nextcloud environment. The CVSS v3.1 base score is 3.3, indicating low severity, with the vector showing local attack vector, low complexity, low privileges required, no user interaction, and impact limited to integrity only. No known exploits have been reported in the wild. The vulnerability was publicly disclosed on December 5, 2025, and patches are available in the specified versions. The root cause is the failure to properly encode or escape output filenames containing RTLO characters, allowing the visual spoofing of file extensions in the Nextcloud Deck interface.

For European organizations using Nextcloud Deck, this vulnerability primarily poses a risk of social engineering attacks through file extension spoofing. While it does not directly compromise confidentiality or availability, the misleading file names could cause users to open malicious files under false pretenses, potentially leading to malware execution or data integrity issues. Organizations relying heavily on Nextcloud for collaboration and file sharing may see increased risk if attackers exploit this flaw to distribute harmful payloads disguised as benign documents. The requirement for local access and low privileges limits remote exploitation, but insider threats or compromised accounts could leverage this vulnerability. The impact is thus mostly on data integrity and user trust, with indirect risks to confidentiality if malicious files are executed. Given the widespread use of Nextcloud in European public and private sectors, especially in countries with strong open-source adoption, the vulnerability could affect a significant number of users if unpatched.

European organizations should immediately upgrade Nextcloud Deck to versions 1.12.7, 1.14.4, or 1.15.1 or later, where the vulnerability is fixed. Additionally, implement strict file upload validation and sanitization to detect and block filenames containing RTLO or other Unicode control characters that could be used for spoofing. Educate users about the risks of opening files with suspicious or unexpected extensions, especially those received through internal file sharing platforms. Employ endpoint security solutions capable of detecting and blocking execution of potentially malicious files regardless of extension. Monitor file uploads and user activity logs within Nextcloud for unusual behavior or attempts to upload files with obfuscated names. Consider disabling or restricting file uploads from untrusted users or external sources until patches are applied. Finally, maintain a robust patch management process to ensure timely updates of collaboration tools.