CVE-2025-66552 is a vulnerability classified under CWE-778 (Insufficient Logging) affecting Nextcloud Server and Enterprise Server versions prior to 30.0.9 and 31.0.1. The issue arises from incorrect path handling within the groupfolders feature, which causes the admin_audit app to fail in logging all actions performed on files and folders inside groupfolders. This logging deficiency means that certain file operations, such as creation, modification, or deletion, may not be recorded in audit logs, reducing visibility into user activities and potentially allowing malicious or unauthorized actions to go undetected. The vulnerability is exploitable remotely (network vector) by users with low privileges (PR:L), without requiring user interaction (UI:N). The scope is unchanged (S:U), and the impact affects availability of audit logs (A:L) but does not compromise confidentiality or integrity. Although no known exploits are reported in the wild, the lack of comprehensive logging can hinder incident response and forensic investigations, especially in environments where groupfolders are heavily used for collaborative file sharing. The vulnerability is fixed in Nextcloud Server and Enterprise Server versions 30.0.9 and 31.0.1 and later. Organizations relying on Nextcloud for file storage and collaboration should upgrade to these versions to ensure complete audit logging functionality.

For European organizations, this vulnerability primarily impacts the reliability and completeness of audit logs within Nextcloud environments that utilize groupfolders. Insufficient logging can impair the ability to detect insider threats, unauthorized data modifications, or data deletions, thereby weakening security monitoring and incident response capabilities. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the reduced visibility can indirectly increase risk by masking malicious activities. Organizations in sectors with strict compliance requirements for audit trails, such as finance, healthcare, and government, may face regulatory challenges if audit logs are incomplete. The impact is more pronounced in large enterprises or institutions with extensive use of groupfolders for collaborative workflows. Since Nextcloud is widely adopted in Europe, especially in countries promoting data sovereignty and self-hosted solutions, the risk of operational disruption and compliance issues is significant if the vulnerability is not addressed.

1. Immediately upgrade all Nextcloud Server and Enterprise Server instances to version 30.0.9, 31.0.1, or later to apply the fix for this vulnerability. 2. Conduct a thorough audit of existing logs to identify any gaps or missing entries related to groupfolders activities prior to patching. 3. Implement enhanced monitoring and alerting on file operations within groupfolders to detect suspicious behavior that may not be fully captured by audit logs. 4. Restrict access to groupfolders to only necessary users and enforce least privilege principles to minimize potential misuse. 5. Regularly review and test the admin_audit app’s logging capabilities post-patching to ensure comprehensive coverage. 6. Consider deploying additional external logging or SIEM integration to supplement Nextcloud’s native audit logs for critical environments. 7. Educate administrators and security teams about this vulnerability and the importance of verifying audit log integrity. 8. Maintain an incident response plan that accounts for potential gaps in logging and includes alternative detection methods.