CVE-2025-66572 is an OS command injection vulnerability classified under CWE-78, affecting Loaded Commerce version 6.6. The vulnerability stems from improper neutralization of special elements in the 'search' parameter, which is processed by the server without adequate sanitization. This flaw allows unauthenticated attackers to inject and execute arbitrary operating system commands remotely, leading to potential full system compromise. The vulnerability is client-side template injection related, indicating that malicious input can manipulate server-side templates to execute commands. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no authentication (PR:N), and no user interaction (UI:N). The impact on confidentiality and integrity is low to medium, with limited availability impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be considered exploitable. The lack of authentication and user interaction requirements increases the risk profile, especially for internet-facing e-commerce platforms running this version. The vulnerability's presence in a widely used e-commerce platform makes it a significant concern for organizations relying on Loaded Commerce 6.6 for their online storefronts.

For European organizations, exploitation of CVE-2025-66572 could lead to unauthorized remote code execution on e-commerce servers, resulting in data breaches, defacement, or full server takeover. This could compromise customer data, payment information, and intellectual property, damaging brand reputation and leading to regulatory penalties under GDPR. The vulnerability's ease of exploitation and unauthenticated access make it a high-risk vector for attackers targeting European online retailers. Disruption of e-commerce services could also impact revenue and customer trust. Additionally, compromised servers could be leveraged as pivot points for further attacks within corporate networks. The impact is particularly critical for organizations with high transaction volumes or those handling sensitive personal data. Given the interconnected nature of supply chains, exploitation could have cascading effects on partners and customers across Europe.

1. Immediate upgrade to a patched version of Loaded Commerce once available; monitor vendor advisories for updates. 2. Implement strict input validation and sanitization on the 'search' parameter to neutralize special characters and command injection vectors. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the search functionality. 4. Restrict server permissions to limit the impact of potential command execution, using least privilege principles. 5. Conduct regular security audits and penetration testing focusing on input handling and template injection vectors. 6. Monitor server logs and network traffic for anomalous activity indicative of exploitation attempts. 7. Isolate e-commerce servers from critical internal networks to reduce lateral movement risk. 8. Educate development teams on secure coding practices to prevent injection vulnerabilities in future releases.