CVE-2025-66489
Published: 03 December 2025
Summary
CVE-2025-66489 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Cal Cal.Com. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires systems to correctly identify and authenticate organizational users using defined authenticators, directly preventing the TOTP-based password bypass in Cal.com's authentication flow.
Mandates proper management of authenticators including TOTP, addressing mishandling in the login credentials provider's conditional logic.
Requires timely identification, reporting, and correction of system flaws, such as patching Cal.com to version 5.9.8 to remediate the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Critical authentication bypass in public-facing scheduling web application (AV:N/PR:N) directly enables unauthenticated remote exploitation for initial access.
NVD Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to…
more
problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Deeper analysisAI
CVE-2025-66489 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. In versions prior to 5.9.8, a flaw in the login credentials provider enables attackers to skip password verification when a TOTP code is supplied, stemming from faulty conditional logic in the authentication flow. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-303 (Incorrect Implementation of Authentication Algorithm).
Any unauthenticated attacker with network access can exploit this issue remotely with low complexity and no user interaction required. Exploitation allows bypassing password checks during login attempts that include a valid TOTP code, resulting in unauthorized access to affected user accounts and high-impact compromise of confidentiality, integrity, and availability.
The vulnerability is remediated in Cal.com version 5.9.8. Additional details on the fix and affected configurations are available in the GitHub security advisory at https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98.
Details
- CWE(s)