CVE-2025-11720 is a vulnerability identified in Mozilla Firefox and Firefox Focus browsers on Android platforms, specifically related to the custom tab feature's user interface. The flaw stems from the UI only displaying the 'site' portion of the URL rather than the full hostname. This incomplete display can be exploited by attackers who control user-supplied content hosted on a subdomain of a legitimate site. By doing so, they can deceive users into believing they are interacting with a different, trusted subdomain of the same site, facilitating phishing or other social engineering attacks. The vulnerability is classified under CWE-451 (User Interface Misrepresentation) and has a CVSS v3.1 base score of 8.1, indicating high severity. The attack vector is network-based with low attack complexity, requiring no privileges but user interaction to trigger the exploit. The impact primarily affects confidentiality and integrity, as users may inadvertently disclose sensitive information or perform actions under false pretenses. Availability is not impacted. The vulnerability affects Firefox versions below 144, with no patch links currently provided, and no known exploits in the wild have been reported as of the publication date. This issue highlights the importance of accurate URL presentation in browser UI to prevent domain spoofing attacks.

For European organizations, the vulnerability poses a significant risk to user trust and data confidentiality, especially for those relying on Firefox on Android devices for accessing sensitive internal or customer-facing web applications. Attackers could exploit this flaw to conduct targeted phishing campaigns by impersonating trusted subdomains, potentially leading to credential theft, unauthorized access, or data leakage. Sectors such as finance, healthcare, and government, which handle sensitive personal and financial data, are particularly vulnerable. The risk is exacerbated in environments where users are less security-aware or where mobile device usage is prevalent. Although availability is not affected, the integrity and confidentiality breaches could result in regulatory non-compliance under GDPR, reputational damage, and financial losses. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly known.

European organizations should prioritize upgrading Firefox and Firefox Focus on Android devices to version 144 or later as soon as patches become available. Until then, organizations should implement user awareness campaigns emphasizing the importance of verifying full URLs and being cautious with links, especially those received via email or messaging apps. Security teams should monitor for phishing attempts that exploit subdomain spoofing and consider deploying mobile endpoint protection solutions capable of detecting suspicious browser behavior. Additionally, organizations can enforce the use of alternative browsers without this vulnerability on managed devices or restrict access to critical web applications from vulnerable browsers. Web developers should consider implementing strict Content Security Policies (CSP) and HTTP Strict Transport Security (HSTS) to reduce the risk of man-in-the-middle attacks that could compound this vulnerability. Finally, continuous monitoring of threat intelligence feeds for any emerging exploits related to CVE-2025-11720 is recommended.