CVE-2025-66443 – Pexip Infinity versions 35.0 through 38.1 have ... (How to Fix)

Q: What is the severity of CVE-2025-66443?

CVE-2025-66443 has a CVSS score of 7.5 (HIGH). Pexip Infinity versions 35.0 through 38.1 have an improper input validation vulnerability in WebRTC signaling when using non-default Direct Media configurations. Attackers can trigger a software abort, causing temporary denial of service. Only systems with Direct Media for WebRTC enabled are affected.

📋 TL;DR

Pexip Infinity versions 35.0 through 38.1 have an improper input validation vulnerability in WebRTC signaling when using non-default Direct Media configurations. Attackers can trigger a software abort, causing temporary denial of service. Only systems with Direct Media for WebRTC enabled are affected.

💻 Affected Systems

Products:

Pexip Infinity

Versions: 35.0 through 38.1

Operating Systems: All supported Pexip OS platforms

Default Config Vulnerable: ✅ No

Notes: Only affects non-default configurations where Direct Media for WebRTC is enabled. Standard WebRTC configurations are not vulnerable.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for all WebRTC sessions using Direct Media until system restarts, potentially affecting critical video conferencing operations.

🟠

Likely Case

Targeted DoS attacks against specific meetings or users, causing temporary service interruptions that require manual intervention to restore.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; service automatically recovers after abort.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending malformed signaling messages to vulnerable WebRTC endpoints with Direct Media enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 39.0

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration
2. Download Pexip Infinity 39.0 from official portal
3. Follow Pexip upgrade documentation for your deployment type
4. Apply update through management interface
5. Restart services as prompted

🔧 Temporary Workarounds

Disable Direct Media for WebRTC

all

Switch to standard WebRTC configuration which is not vulnerable

pexip-config set webrtc.direct_media false
pexip-service restart

Restrict WebRTC Signaling Access

linux

Limit which networks can send WebRTC signaling to vulnerable systems

iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable Direct Media for WebRTC configuration immediately
Implement strict network ACLs to limit WebRTC signaling to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if Direct Media for WebRTC is enabled in configuration and version is between 35.0-38.1

Check Version:

pexip-version

Verify Fix Applied:

Confirm version is 39.0 or higher and test WebRTC functionality with Direct Media enabled

📡 Detection & Monitoring

Log Indicators:

Unexpected process aborts in Pexip logs
WebRTC session failures with error codes
Increased restart events for signaling services

Network Indicators:

Spike in malformed WebRTC signaling packets
Unusual traffic patterns to WebRTC ports from untrusted sources

SIEM Query:

source="pexip" AND ("abort" OR "crash" OR "unexpected termination") AND process="webrtc"

📊 Metadata

CVE ID: CVE-2025-66443

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.06% exploit probability (18.7th percentile)

Published: December 25, 2025

Last Updated: January 5, 2026

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66443, you might also want to check these: