Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70037

CVE-2025-70037: Twake URL Redirection RCE Vulnerability

CVE-2025-70037 is a URL redirection vulnerability in linagora Twake v2023.Q1.1223 that enables attackers to steal sensitive data and execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-70037 Overview

A URL Redirection to Untrusted Site vulnerability (CWE-601) has been discovered in Linagora Twake v2023.Q1.1223. This Open Redirect vulnerability allows attackers to redirect users to malicious external sites, potentially leading to sensitive information disclosure and arbitrary code execution through social engineering attacks.

Critical Impact

Attackers can craft malicious URLs that appear legitimate but redirect victims to attacker-controlled domains, enabling credential theft, phishing campaigns, and potential malware delivery.

Affected Products

  • Linagora Twake v2023.Q1.1223

Discovery Timeline

  • 2026-03-09 - CVE CVE-2025-70037 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-70037

Vulnerability Analysis

This vulnerability is classified as an Open Redirect (CWE-601), which occurs when an application accepts user-controlled input that specifies a link to an external site and uses that input in a redirect. In the context of Twake, a team collaboration platform, this flaw can be particularly dangerous as users inherently trust URLs originating from their organization's communication tool.

The vulnerability enables attackers to craft specially formatted URLs that leverage the Twake application as a redirect proxy. When users click these malicious links—believing they are safe internal links—they are redirected to attacker-controlled websites. This attack requires user interaction, as victims must click the malicious link for the redirect to occur.

Root Cause

The root cause of this vulnerability is insufficient validation of URL parameters used in redirect functionality within the Twake application. The application fails to properly verify that redirect destinations point to trusted, internal domains before performing the redirection operation. This lack of allowlist validation or improper URL parsing allows external, untrusted URLs to be passed through redirect parameters.

Attack Vector

The attack vector for CVE-2025-70037 is network-based and requires user interaction. An attacker can exploit this vulnerability by:

  1. Crafting a malicious URL that includes the trusted Twake domain with an embedded redirect to an attacker-controlled site
  2. Distributing the link through phishing emails, chat messages, or other social engineering vectors
  3. When victims click the link, they see the legitimate Twake domain and trust the URL
  4. The Twake application then redirects the user to the malicious external site
  5. The attacker's site can then harvest credentials, deliver malware, or perform other malicious actions

Technical details and a proof-of-concept demonstrating this vulnerability are available in the GitHub Gist PoC.

Detection Methods for CVE-2025-70037

Indicators of Compromise

  • Unusual redirect patterns in web server logs containing external domains in redirect parameters
  • User reports of unexpected redirections when clicking internal Twake links
  • Phishing emails or messages containing Twake URLs with suspicious query parameters
  • Network traffic showing redirects from Twake servers to known malicious domains

Detection Strategies

  • Monitor web application logs for redirect requests containing external URLs in query parameters
  • Implement URL reputation checking on outbound redirect destinations
  • Deploy web application firewalls (WAF) with rules to detect open redirect patterns
  • Review authentication logs for credential theft attempts following redirect events

Monitoring Recommendations

  • Enable detailed logging for all redirect operations within the Twake application
  • Set up alerts for high volumes of redirect requests to unique external domains
  • Monitor for phishing campaigns targeting organization users that leverage Twake URLs
  • Implement user behavior analytics to detect anomalous click patterns on redirect links

How to Mitigate CVE-2025-70037

Immediate Actions Required

  • Upgrade Linagora Twake to a version newer than v2023.Q1.1223 once a patch is available
  • Review the Twake GitHub Repository for security updates and patches
  • Implement URL allowlisting at the web application firewall level to restrict redirect destinations
  • Educate users about the risks of clicking links, even those appearing to originate from trusted internal applications

Patch Information

Consult the Linagora GitHub Organization and Twake GitHub Repository for official patch releases and security advisories. Monitor these resources for updates addressing CVE-2025-70037.

Workarounds

  • Implement a web application firewall rule to block redirect requests containing external domains in URL parameters
  • Configure reverse proxy or load balancer rules to validate redirect destinations against an allowlist of trusted domains
  • Deploy browser security extensions organization-wide to warn users of potential open redirect abuse
  • Consider temporarily disabling redirect functionality if not critical to business operations until a patch is applied
bash
# Example WAF rule to detect open redirect attempts (ModSecurity syntax)
SecRule ARGS "@rx ^https?://(?!trusted-domain\.com)" \
    "id:100001,phase:1,deny,status:403,msg:'Potential Open Redirect Blocked'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.