CVE-2025-66572 is an OS command injection vulnerability classified under CWE-78 affecting Loaded Commerce version 6.6. The flaw exists due to improper neutralization of special characters in the 'search' parameter, which is processed by the server without adequate sanitization. This allows unauthenticated attackers to inject and execute arbitrary operating system commands remotely. The vulnerability is client-side template injection leading to server-side code execution, which can compromise the server's confidentiality, integrity, and availability. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, no required privileges or user interaction, but limited scope and impact. No patches or known exploits are currently available, but the vulnerability's nature makes it a critical risk if weaponized. Attackers exploiting this flaw could gain control over the server, access sensitive data, or disrupt services. The vulnerability is particularly dangerous because it requires no authentication, making any exposed Loaded Commerce 6.6 instance vulnerable to remote attack.

For European organizations, especially those running Loaded Commerce 6.6 for online retail, this vulnerability could lead to unauthorized server access, data theft, or service outages. Compromise of e-commerce platforms can result in leakage of customer data, payment information, and intellectual property, damaging reputation and incurring regulatory penalties under GDPR. The ability to execute arbitrary commands on the server could also enable attackers to pivot within internal networks, increasing the risk of broader enterprise compromise. Disruption of e-commerce services could cause significant financial losses and customer trust erosion. Given the unauthenticated nature of the exploit, attackers can scan and target vulnerable servers en masse, increasing the likelihood of widespread impact across European markets with significant e-commerce activity.

1. Monitor for official patches or updates from Loaded Commerce and apply them immediately once released. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially the 'search' parameter, to neutralize special characters and prevent command injection. 3. Deploy Web Application Firewalls (WAFs) configured to detect and block OS command injection patterns targeting Loaded Commerce. 4. Restrict server permissions to minimize the impact of potential command execution, using least privilege principles. 5. Conduct regular security assessments and code reviews focusing on input handling in web applications. 6. Monitor logs for unusual command execution attempts or anomalies related to the search functionality. 7. Segment e-commerce servers from critical internal networks to limit lateral movement if compromised. 8. Educate development and operations teams about secure coding practices and the risks of client-side template injections.