CVE-2025-54145 is a critical vulnerability affecting Mozilla Firefox for iOS versions prior to 141. The flaw resides in the QR code scanner functionality, which can be exploited when a user scans a malicious QR code containing a specially crafted URL that leverages Firefox's open-text URL scheme. This vulnerability is categorized under CWE-601, indicating an open redirect or URL redirection issue. When exploited, the malicious QR code causes Firefox for iOS to open arbitrary websites without user consent or awareness. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical severity. The vector metrics indicate that the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality and integrity at a high level (C:H/I:H), but does not affect availability (A:N). This means an attacker can remotely and silently redirect users to malicious websites, potentially leading to phishing, malware delivery, or credential theft. The vulnerability is particularly dangerous because it exploits a trusted feature (QR code scanning) that users may rely on for convenience, increasing the likelihood of successful exploitation. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that users remain vulnerable until an update is released and applied.

For European organizations, this vulnerability poses a significant risk, especially for those with employees or customers using Firefox for iOS. The ability to silently redirect users to arbitrary malicious websites can lead to credential compromise, unauthorized data access, and potential lateral movement within corporate networks if phishing or malware payloads are delivered. Sectors such as finance, healthcare, and government, which often handle sensitive personal and financial data, are particularly at risk. The vulnerability undermines user trust in secure browsing and can facilitate targeted spear-phishing campaigns leveraging QR codes distributed via email, physical posters, or digital media. Since the attack requires no user interaction beyond scanning a QR code, it can be exploited in public spaces or through social engineering. The lack of a patch increases exposure time, and organizations relying on iOS devices with Firefox installed must consider this vulnerability in their risk assessments and incident response planning.

Organizations should immediately communicate the risk to users of Firefox for iOS and advise caution when scanning QR codes from untrusted sources. Until a patch is available, consider disabling or restricting the use of Firefox for iOS on corporate devices, or enforce policies that limit QR code scanning to trusted applications with verified security. Implement network-level protections such as DNS filtering and web proxy solutions to block access to known malicious domains and suspicious URLs. Security awareness training should emphasize the dangers of scanning QR codes from unknown or unsolicited sources. Monitoring network traffic for unusual outbound connections from iOS devices can help detect exploitation attempts. Once Mozilla releases a patch, prioritize prompt deployment across all affected devices. Additionally, consider integrating mobile device management (MDM) solutions to enforce application updates and restrict installation of vulnerable app versions.