CVE-2025-11190 identifies a vulnerability in Synchroweb's Kiwire Captive Portal version 3.6, specifically an open redirection issue via the login-url parameter. Open redirection occurs when an application accepts a user-controlled input that specifies a URL and redirects the user to that URL without sufficient validation. In this case, the login-url parameter can be manipulated by an attacker to redirect users to attacker-controlled websites. This vulnerability falls under CWE-89, which is generally associated with SQL Injection, but the description and details indicate the primary issue is open redirection rather than SQL Injection, suggesting a possible misclassification or multiple issues. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) indicates the vulnerability is remotely exploitable over the network without privileges but requires user interaction. The impact on confidentiality and integrity is low, as the attacker can only redirect users but cannot directly access or modify data. Availability is not affected. The lack of patches and absence of known exploits in the wild suggest this is a newly disclosed vulnerability. The open redirection can be leveraged in phishing campaigns, where users are tricked into visiting malicious sites appearing legitimate due to the trusted captive portal domain. This can lead to credential theft, malware infection, or further social engineering attacks. The vulnerability affects only version 3.6 of Kiwire, a captive portal solution commonly used in public Wi-Fi networks to manage user access and authentication.

For European organizations, especially those operating public Wi-Fi networks such as airports, hotels, cafes, and transportation hubs, this vulnerability poses a risk of facilitating phishing and social engineering attacks. Attackers can exploit the open redirection to lure users into malicious sites, potentially leading to credential compromise or malware infections. Although the vulnerability does not directly compromise the captive portal system's data or availability, the indirect consequences can be severe, including reputational damage and loss of user trust. Organizations relying on Kiwire 3.6 may face increased risk of targeted attacks exploiting this flaw. Additionally, sectors with high public interaction and reliance on captive portals, such as tourism and hospitality, are particularly vulnerable. The medium severity rating reflects the moderate risk level but underscores the importance of timely mitigation to prevent exploitation. The absence of known exploits in the wild currently limits immediate impact, but proactive measures are essential to avoid future attacks.

Since no official patches are currently available for Kiwire 3.6, organizations should implement immediate compensating controls. First, validate and sanitize the login-url parameter rigorously to ensure only trusted URLs within the organization's domain are accepted for redirection. Implement strict allowlists for redirect destinations and reject or log any attempts to redirect to external or untrusted domains. Employ web application firewalls (WAFs) with rules to detect and block open redirection attempts targeting the login-url parameter. Educate users about the risks of clicking unexpected links, especially those originating from captive portals. Monitor network traffic and logs for unusual redirection patterns or spikes in phishing attempts. Where feasible, upgrade to a newer, patched version of Kiwire once available or consider alternative captive portal solutions with better security postures. Additionally, implement multi-factor authentication (MFA) on captive portal login processes to reduce the impact of credential theft resulting from phishing. Regularly review and update security policies governing public Wi-Fi access to incorporate these mitigations.