CVE-2025-66723 is a vulnerability identified in inMusic Brands Engine DJ software versions prior to 4.3.4. The root cause is insecure permissions stemming from an exposed HTTP service within the Remote Library feature. This exposure allows remote attackers to access all files and network paths available to the service without requiring any authentication or user interaction. The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating that the software improperly restricts access to sensitive resources. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive files and potentially map network shares, which could facilitate further lateral movement or data exfiltration. No integrity or availability impacts are noted. Although no public exploits have been reported yet, the ease of exploitation and the broad access granted make this a critical concern for affected users. The lack of available patches at the time of reporting means organizations must rely on interim mitigations until an update is released.

For European organizations, the exposure of sensitive files and network paths can lead to significant data breaches, intellectual property theft, and potential exposure of personal data protected under GDPR. Industries such as music production, event management, and entertainment technology—where Engine DJ software is commonly used—are at heightened risk. Attackers could leverage this vulnerability to gain insights into network architecture or harvest credentials stored in accessible files, enabling further compromise. The confidentiality breach could damage brand reputation, lead to regulatory fines, and disrupt business operations. Since the vulnerability does not affect integrity or availability directly, the immediate operational impact may be limited, but the long-term consequences of data exposure are severe. European organizations with remote or cloud-based deployments of Engine DJ are particularly vulnerable due to the network-exposed HTTP service.

1. Immediately restrict network access to the Remote Library HTTP service using firewalls or network segmentation to limit exposure to trusted hosts only. 2. Implement strict access controls and authentication mechanisms around the HTTP service if possible, even before official patches are available. 3. Monitor network traffic for unusual access patterns to the Remote Library service to detect potential exploitation attempts. 4. Regularly audit file permissions and network shares on systems running Engine DJ to ensure no unintended exposure. 5. Plan and prioritize upgrading to version 4.3.4 or later as soon as the patch is released by inMusic Brands. 6. Educate IT and security teams about this vulnerability to ensure rapid response and containment. 7. Consider deploying host-based intrusion detection systems (HIDS) to alert on unauthorized file access attempts related to this service.