CVE-2025-70037 Overview
A URL Redirection to Untrusted Site vulnerability (CWE-601) has been discovered in Linagora Twake v2023.Q1.1223. This Open Redirect vulnerability allows attackers to redirect users to malicious external sites, potentially leading to sensitive information disclosure and arbitrary code execution through social engineering attacks.
Critical Impact
Attackers can craft malicious URLs that appear legitimate but redirect victims to attacker-controlled domains, enabling credential theft, phishing campaigns, and potential malware delivery.
Affected Products
- Linagora Twake v2023.Q1.1223
Discovery Timeline
- 2026-03-09 - CVE CVE-2025-70037 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-70037
Vulnerability Analysis
This vulnerability is classified as an Open Redirect (CWE-601), which occurs when an application accepts user-controlled input that specifies a link to an external site and uses that input in a redirect. In the context of Twake, a team collaboration platform, this flaw can be particularly dangerous as users inherently trust URLs originating from their organization's communication tool.
The vulnerability enables attackers to craft specially formatted URLs that leverage the Twake application as a redirect proxy. When users click these malicious links—believing they are safe internal links—they are redirected to attacker-controlled websites. This attack requires user interaction, as victims must click the malicious link for the redirect to occur.
Root Cause
The root cause of this vulnerability is insufficient validation of URL parameters used in redirect functionality within the Twake application. The application fails to properly verify that redirect destinations point to trusted, internal domains before performing the redirection operation. This lack of allowlist validation or improper URL parsing allows external, untrusted URLs to be passed through redirect parameters.
Attack Vector
The attack vector for CVE-2025-70037 is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious URL that includes the trusted Twake domain with an embedded redirect to an attacker-controlled site
- Distributing the link through phishing emails, chat messages, or other social engineering vectors
- When victims click the link, they see the legitimate Twake domain and trust the URL
- The Twake application then redirects the user to the malicious external site
- The attacker's site can then harvest credentials, deliver malware, or perform other malicious actions
Technical details and a proof-of-concept demonstrating this vulnerability are available in the GitHub Gist PoC.
Detection Methods for CVE-2025-70037
Indicators of Compromise
- Unusual redirect patterns in web server logs containing external domains in redirect parameters
- User reports of unexpected redirections when clicking internal Twake links
- Phishing emails or messages containing Twake URLs with suspicious query parameters
- Network traffic showing redirects from Twake servers to known malicious domains
Detection Strategies
- Monitor web application logs for redirect requests containing external URLs in query parameters
- Implement URL reputation checking on outbound redirect destinations
- Deploy web application firewalls (WAF) with rules to detect open redirect patterns
- Review authentication logs for credential theft attempts following redirect events
Monitoring Recommendations
- Enable detailed logging for all redirect operations within the Twake application
- Set up alerts for high volumes of redirect requests to unique external domains
- Monitor for phishing campaigns targeting organization users that leverage Twake URLs
- Implement user behavior analytics to detect anomalous click patterns on redirect links
How to Mitigate CVE-2025-70037
Immediate Actions Required
- Upgrade Linagora Twake to a version newer than v2023.Q1.1223 once a patch is available
- Review the Twake GitHub Repository for security updates and patches
- Implement URL allowlisting at the web application firewall level to restrict redirect destinations
- Educate users about the risks of clicking links, even those appearing to originate from trusted internal applications
Patch Information
Consult the Linagora GitHub Organization and Twake GitHub Repository for official patch releases and security advisories. Monitor these resources for updates addressing CVE-2025-70037.
Workarounds
- Implement a web application firewall rule to block redirect requests containing external domains in URL parameters
- Configure reverse proxy or load balancer rules to validate redirect destinations against an allowlist of trusted domains
- Deploy browser security extensions organization-wide to warn users of potential open redirect abuse
- Consider temporarily disabling redirect functionality if not critical to business operations until a patch is applied
# Example WAF rule to detect open redirect attempts (ModSecurity syntax)
SecRule ARGS "@rx ^https?://(?!trusted-domain\.com)" \
"id:100001,phase:1,deny,status:403,msg:'Potential Open Redirect Blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
