CVE-2025-66552
📋 TL;DR
This vulnerability in Nextcloud Server causes the admin_audit app to fail to log actions on files and folders within groupfolders due to incorrect path handling. It affects Nextcloud Server and Enterprise Server installations prior to versions 30.0.9 and 31.0.1. This creates a gap in audit trails for administrative monitoring.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious insiders or compromised accounts could perform unauthorized file operations within groupfolders without detection in audit logs, enabling data theft or tampering that goes unrecorded.
Likely Case
Administrators lose visibility into legitimate or accidental file modifications within groupfolders, complicating incident investigation and compliance reporting.
If Mitigated
With proper access controls and monitoring of other logs, the impact is limited to incomplete audit trails rather than direct data compromise.
🎯 Exploit Status
Exploitation requires authenticated access to perform file operations within groupfolders; the vulnerability itself is in logging, not access control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 30.0.9 or 31.0.1
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x
Restart Required: No
Instructions:
1. Backup your Nextcloud installation and database. 2. Update Nextcloud to version 30.0.9 (for v30) or 31.0.1 (for v31) via the web updater or manual download. 3. Run occ upgrade via command line if needed.
🔧 Temporary Workarounds
Disable admin_audit app
linuxTemporarily disable the affected logging component until patching.
sudo -u www-data php occ app:disable admin_audit
Disable groupfolders app
linuxRemove the affected functionality if groupfolders are not essential.
sudo -u www-data php occ app:disable groupfolders
🧯 If You Can't Patch
- Enable additional file integrity monitoring on groupfolder directories to detect changes.
- Implement strict access controls and review user permissions for groupfolders regularly.
🔍 How to Verify
Check if Vulnerable:
Check Nextcloud version via admin panel or run: sudo -u www-data php occ status | grep versionCheck Version:
sudo -u www-data php occ status | grep versionVerify Fix Applied:
After update, verify version is 30.0.9+ or 31.0.1+, then test audit logging by performing file operations in a groupfolder and checking admin_audit logs.📡 Detection & Monitoring
Log Indicators:
- Missing or incomplete entries in admin_audit logs for groupfolder file operations
- Discrepancies between actual file changes and audit records
Network Indicators:
- None specific to this vulnerability
SIEM Query:
source="nextcloud.log" AND "admin_audit" AND "groupfolder" AND (NOT "file created" OR NOT "file deleted" OR NOT "file renamed")