CVE-2025-66558 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Nextcloud Twofactor WebAuthn provider. The vulnerability exists due to a missing ownership verification when handling WebAuthn 2FA devices. An attacker who correctly guesses an 80-128 character random string associated with a victim’s 2FA device can forcibly remove that device from the victim’s account. This action does not allow the attacker to authenticate as the victim but disrupts the victim’s 2FA setup by requiring them to register a new device at next login. The guessing of such a long random string is non-trivial, implying a high attack complexity. The vulnerability affects Nextcloud versions prior to 1.4.2 and between 2.0.0-beta.1 and 2.4.1. The CVSS v3.1 score is 3.1, reflecting low severity due to no impact on confidentiality or availability and the high complexity of exploitation. No known exploits are reported in the wild. The flaw is remediated in Nextcloud Twofactor WebAuthn versions 1.4.2 and 2.4.1 by adding proper ownership checks. This vulnerability highlights the importance of strict authorization checks in 2FA device management to maintain the integrity of authentication mechanisms.

For European organizations, the primary impact of this vulnerability is the potential disruption of two-factor authentication integrity. Although the attacker cannot directly access victim accounts, forcibly removing a registered 2FA device can lead to temporary denial of secure access or increased support overhead as users must re-register their devices. This could be exploited in targeted attacks to cause inconvenience or to weaken multi-factor authentication controls, potentially facilitating subsequent attacks if combined with other vulnerabilities or social engineering. Organizations relying on Nextcloud for collaboration and file sharing, especially those in regulated sectors such as finance, healthcare, and government, may face increased risk of authentication disruption. The low severity and high complexity reduce the likelihood of widespread exploitation, but the impact on trust and operational continuity in sensitive environments remains a concern.

European organizations using Nextcloud Twofactor WebAuthn should immediately upgrade to versions 1.4.2 or 2.4.1 or later to ensure the ownership check is enforced. Additionally, organizations should audit their 2FA device management policies and monitor logs for unusual 2FA device removal activities. Implementing rate limiting and anomaly detection on 2FA device management endpoints can reduce the risk of brute-force guessing attempts. Educating users about promptly reporting unexpected 2FA device removal prompts can help detect potential exploitation. Network segmentation and strict access controls around Nextcloud instances will further reduce exposure. Finally, organizations should maintain an inventory of Nextcloud versions deployed and apply security patches promptly to minimize exposure to known vulnerabilities.