Cybersecurity Vulnerabilities

Critical Vulnerability in Cal.com: CVE-2025-66489 Allows Account Takeover

December 3, 2025 - By 

Overview

CVE-2025-66489 is a critical security vulnerability affecting Cal.com, the open-source scheduling software. This flaw allows an attacker to bypass password verification by manipulating the TOTP code during login, potentially leading to unauthorized access to user accounts. The vulnerability exists in versions prior to 5.9.8 and is due to problematic conditional logic within the authentication flow.

Technical Details

The vulnerability stems from a flaw in Cal.com’s login credentials provider. The authentication process incorrectly handles TOTP code verification, leading to a bypass of the standard password check. An attacker providing a valid (or potentially even specially crafted) TOTP code, in conjunction with a maliciously manipulated request, can circumvent the password verification process, effectively gaining access to the targeted account without knowing the user’s password. This bypass occurs due to faulty conditional statements that fail to properly validate both password and TOTP requirements.

CVSS Analysis

Due to the information available, the CVSS score and Severity are currently marked as N/A. However, given the nature of the vulnerability (account takeover), it is highly likely that if scored, it would receive a CVSS score reflecting HIGH or CRITICAL severity.

Possible Impact

The impact of this vulnerability is severe. Successful exploitation allows an attacker to:

  • Gain unauthorized access to user accounts.
  • Access and potentially modify sensitive scheduling information.
  • Impersonate users, leading to further malicious activities.
  • Compromise the privacy and security of scheduled meetings and events.

The potential for widespread compromise makes patching this vulnerability a critical priority.

Mitigation or Patch Steps

The vulnerability is fixed in Cal.com version 5.9.8. To mitigate this risk, the following steps are strongly recommended:

  1. Upgrade to version 5.9.8 or later immediately. This is the most effective way to address the vulnerability.
  2. Review Cal.com access logs for any suspicious login attempts, especially those involving TOTP.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *