CVE-2025-11720 is a spoofing vulnerability found in Mozilla Firefox and Firefox Focus on Android devices, specifically related to the custom tabs feature. The vulnerability stems from the UI design that only displays the 'site' portion of the URL rather than the full hostname, which includes subdomains. This incomplete URL display can be exploited by an attacker who controls user-supplied content hosted on a subdomain of a legitimate site. By doing so, the attacker can craft URLs that appear to originate from a trusted subdomain, misleading users into believing they are interacting with a different, legitimate subdomain of the same site. This form of UI spoofing can facilitate phishing attacks, credential theft, or delivery of malicious payloads by exploiting user trust in the displayed URL. The vulnerability affects all Firefox versions prior to 144 on Android, with no specific affected versions detailed. There are no known exploits in the wild at the time of publication. The vulnerability does not require user authentication but does require user interaction to visit the malicious URL. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. The flaw primarily compromises confidentiality and integrity by enabling deceptive UI elements that can trick users into divulging sensitive information or executing unintended actions. Availability is not directly impacted. Since the vulnerability is in a widely used mobile browser, the scope is broad, especially in regions with high Firefox Android usage. The issue was published on October 14, 2025, and no patch links were provided, indicating that users should monitor for updates from Mozilla and apply them promptly.

For European organizations, this vulnerability poses a significant risk to mobile users who rely on Firefox for Android, particularly in sectors where secure browsing is critical, such as finance, healthcare, and government. The spoofing risk can lead to successful phishing campaigns targeting employees, resulting in credential compromise, unauthorized access to corporate resources, and potential data breaches. Since the vulnerability affects the UI display of URLs, users may be deceived into trusting malicious sites that appear legitimate, increasing the likelihood of social engineering attacks. This can undermine organizational security policies and lead to financial losses or reputational damage. The impact is heightened in environments where mobile device usage is prevalent and where Firefox is a preferred browser. Additionally, the lack of immediate patches means organizations must be vigilant in user education and monitoring until updates are deployed. The vulnerability does not directly affect system availability but can indirectly cause operational disruptions through security incidents triggered by successful exploitation.

European organizations should implement the following specific mitigations: 1) Immediately update all Firefox for Android installations to version 144 or later once the patch is released by Mozilla to eliminate the vulnerability. 2) Until patches are available, educate users about the risk of URL spoofing in custom tabs and encourage vigilance when interacting with links, especially those received via email or messaging apps. 3) Employ mobile device management (MDM) solutions to enforce browser update policies and restrict installation of unapproved browsers. 4) Use endpoint protection tools capable of detecting phishing attempts and malicious URLs to provide an additional layer of defense. 5) Implement network-level protections such as DNS filtering and web proxies that can block access to known malicious subdomains or suspicious URLs. 6) Encourage the use of alternative browsers or secure browsing modes that display full URLs to reduce the risk of spoofing. 7) Monitor user reports and security logs for signs of phishing or unusual browsing behavior that could indicate exploitation attempts. 8) Collaborate with Mozilla and security communities to stay informed about patch releases and emerging threats related to this vulnerability.