CVE-2025-59683
📋 TL;DR
Pexip Infinity versions 15.0 through 38.0 have an improper access control vulnerability in the Secure Scheduler for Exchange service when using Office 365 Legacy Exchange Tokens. This allows remote attackers to read sensitive data and cause denial of service through resource exhaustion. Organizations using affected Pexip Infinity versions with Office 365 Legacy Exchange Tokens are vulnerable.
💻 Affected Systems
- Pexip Infinity
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through sensitive data exposure and sustained denial of service affecting all video conferencing functionality.
Likely Case
Unauthorized access to scheduling data and intermittent service disruption affecting meeting reliability.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially only affecting isolated scheduling components.
🎯 Exploit Status
Exploitation requires access to the scheduling service but does not require authentication to the Pexip Infinity platform itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 38.1 or later
Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm
Restart Required: Yes
Instructions:
1. Download Pexip Infinity version 38.1 or later from the Pexip support portal. 2. Follow the Pexip Infinity upgrade procedure documented in the administration guide. 3. Restart all Pexip Infinity services after upgrade completion.
🔧 Temporary Workarounds
Disable Legacy Exchange Tokens
allSwitch from Office 365 Legacy Exchange Tokens to modern authentication methods
Configure Exchange integration to use modern OAuth 2.0 authentication instead of legacy tokens
Restrict Network Access
allLimit access to the Secure Scheduler service to trusted networks only
Configure firewall rules to restrict access to TCP ports used by Secure Scheduler service
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Secure Scheduler service from untrusted networks
- Enable detailed logging and monitoring for suspicious access patterns to scheduling endpoints
🔍 How to Verify
Check if Vulnerable:
Check Pexip Infinity version via admin interface and verify if using Office 365 Legacy Exchange Tokens with Secure SchedulerCheck Version:
From Pexip admin interface: System > About, or SSH to management node and run 'pexip --version'Verify Fix Applied:
Confirm version is 38.1 or later and verify Secure Scheduler service is functioning normally📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to /api/admin/scheduler/ endpoints
- Failed authentication attempts followed by successful scheduling operations
- Resource exhaustion alerts from Pexip monitoring
Network Indicators:
- High volume of requests to scheduling API from unexpected sources
- Traffic patterns indicating enumeration of scheduling data
SIEM Query:
source="pexip" AND (uri_path="/api/admin/scheduler/*" OR event_type="scheduler_access") AND status_code=200 | stats count by src_ip