CVE-2025-66377 – Pexip Infinity installations before version 39.... (How to Fix)

Q: What is the severity of CVE-2025-66377?

CVE-2025-66377 has a CVSS score of 7.5 (HIGH). Pexip Infinity installations before version 39.0 have an internal API vulnerability where critical functions lack authentication. This allows an attacker who already has code execution on one node to affect other nodes in the same deployment. Organizations running vulnerable Pexip Infinity versions are affected.

📋 TL;DR

Pexip Infinity installations before version 39.0 have an internal API vulnerability where critical functions lack authentication. This allows an attacker who already has code execution on one node to affect other nodes in the same deployment. Organizations running vulnerable Pexip Infinity versions are affected.

💻 Affected Systems

Products:

Pexip Infinity

Versions: All versions before 39.0

Operating Systems: Linux-based Pexip Infinity OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to already have code execution on at least one node in the Pexip Infinity installation.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with initial foothold on one node could disrupt or compromise the entire Pexip Infinity deployment, potentially causing service outages or data breaches.

🟠

Likely Case

Lateral movement within the Pexip Infinity cluster allowing attackers to expand their control from compromised nodes to other nodes.

🟢

If Mitigated

Limited to the initially compromised node with no ability to affect other infrastructure components.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires existing access to execute code on a Pexip Infinity node, then leveraging the internal API vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 39.0 or later

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Pexip Infinity version 39.0 or later following vendor upgrade procedures. 3. Verify all nodes are running patched version. 4. Test functionality after upgrade.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Pexip Infinity nodes from each other and restrict internal API communication

Access Control Hardening

all

Strengthen authentication and authorization controls on all Pexip Infinity nodes

🧯 If You Can't Patch

Implement strict network segmentation between Pexip Infinity nodes
Enhance monitoring and alerting for suspicious internal API calls between nodes

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version via admin interface or CLI. If version is below 39.0, system is vulnerable.

Check Version:

pexadmin --version

Verify Fix Applied:

Confirm all nodes are running version 39.0 or later and test internal API authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual internal API calls between nodes
Authentication failures for internal API endpoints
Unexpected node-to-node communication patterns

Network Indicators:

Abnormal internal API traffic between Pexip nodes
Unauthenticated requests to internal API endpoints

SIEM Query:

source="pexip" AND (event_type="api_call" AND auth_status="failed") OR (src_ip IN [pexip_nodes] AND dst_ip IN [pexip_nodes] AND protocol="api")

📊 Metadata

CVE ID: CVE-2025-66377

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.04% exploit probability (10.1th percentile)

Published: December 25, 2025

Last Updated: January 5, 2026

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66377, you might also want to check these: