CVE-2025-10355 is an open redirect vulnerability classified under CWE-601, affecting MOLGENIS EMX2 version 11.14.0. The vulnerability arises from improper validation of URL redirection parameters, allowing attackers to craft malicious URLs that redirect users to arbitrary external domains. Specifically, the vulnerability exploits the handling of encoded slashes (%2f%2f) in the redirect parameter, which can be manipulated to bypass security checks and redirect users to attacker-controlled sites. This can be leveraged in phishing campaigns, where users believe they are navigating within a trusted MOLGENIS environment but are instead sent to malicious websites designed to steal credentials or deliver malware. The vulnerability is remotely exploitable over the network without requiring authentication, but it requires user interaction to click on the crafted malicious URL. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation and the potential impact on user trust and confidentiality. No patches or official fixes are currently linked, and no active exploitation has been reported. MOLGENIS EMX2 is a platform widely used in biomedical research and data management, making this vulnerability particularly relevant for organizations handling sensitive research data. The vulnerability's exploitation could undermine user confidence and lead to indirect compromise through social engineering attacks.

For European organizations, especially those in biomedical research, healthcare, and data management sectors using MOLGENIS EMX2, this vulnerability poses a risk of phishing and social engineering attacks. Successful exploitation could lead to credential theft, unauthorized access to sensitive research data, and potential malware infections. The indirect impact includes reputational damage, loss of trust among collaborators, and possible regulatory consequences under GDPR if personal or sensitive data is compromised. Since MOLGENIS is used in research institutions across Europe, the vulnerability could disrupt collaborative projects and data sharing. Although the vulnerability does not directly compromise system integrity or availability, the redirection can facilitate attacks that do. The lack of authentication requirement and ease of exploitation increase the risk, especially if users are not trained to recognize suspicious URLs. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers could develop exploits rapidly once the vulnerability is public.

Organizations should implement strict validation and sanitization of all URL redirection parameters within MOLGENIS EMX2 to ensure only trusted internal URLs are allowed. Employ allowlists for redirect destinations rather than blacklists to prevent bypass via encoding tricks like %2f%2f. Until an official patch is released, consider deploying web application firewalls (WAFs) with rules to detect and block suspicious redirect patterns. Conduct user awareness training focused on recognizing phishing attempts and suspicious URLs, emphasizing caution when clicking links from untrusted sources. Monitor logs for unusual redirect requests and investigate any anomalies promptly. If feasible, restrict external URL redirection functionality or disable it temporarily. Engage with MOLGENIS vendor support to obtain updates or patches and apply them promptly once available. Additionally, implement multi-factor authentication (MFA) on user accounts to mitigate the impact of credential theft resulting from phishing.