CVE-2025-55060 is classified as a CWE-601 open redirect vulnerability affecting Priority Web, a web-based product by Priority, specifically versions 23.0 and earlier. An open redirect occurs when a web application accepts a user-controlled input that specifies a URL to which the application redirects the user, without sufficient validation. This allows attackers to craft malicious URLs that appear to originate from a trusted domain but redirect victims to untrusted, potentially malicious websites. The vulnerability has a CVSS 3.1 score of 6.1, reflecting a medium severity level. The vector metrics indicate that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). This vulnerability can be exploited in phishing campaigns or social engineering attacks to trick users into visiting malicious sites that may steal credentials, deliver malware, or perform other malicious activities. No public exploits or patches are currently available, but the vulnerability has been officially published and reserved since August 2025. The lack of patches means organizations must rely on mitigations until vendor fixes are released. The vulnerability is particularly relevant for web-facing Priority Web deployments that handle user redirection.

For European organizations, this vulnerability primarily threatens user trust and security by enabling phishing and social engineering attacks that leverage trusted Priority Web URLs to redirect users to malicious sites. Confidentiality and integrity of user data may be compromised if users are tricked into submitting credentials or sensitive information on attacker-controlled sites. Although availability is not directly impacted, successful exploitation could lead to reputational damage, loss of customer trust, and potential regulatory scrutiny under GDPR if personal data is compromised. Organizations in sectors with high user interaction such as finance, government, and e-commerce are at greater risk. The medium severity rating reflects that while the vulnerability does not allow direct system compromise, the indirect effects through user deception can be significant. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. European organizations using Priority Web versions 23.0 and below should consider this vulnerability a moderate threat vector that requires timely mitigation.

1. Implement strict validation and sanitization of all user-controlled redirect parameters to ensure only trusted internal URLs are allowed. 2. Employ allowlists for redirect destinations rather than blacklists to prevent arbitrary external redirects. 3. Use relative URLs for internal redirects instead of absolute URLs to reduce risk. 4. Educate users and employees about the risks of phishing and suspicious links, emphasizing caution with unexpected redirects. 5. Monitor web server logs for unusual redirect patterns or suspicious URL parameters that may indicate exploitation attempts. 6. Deploy web application firewalls (WAFs) with rules to detect and block open redirect attempts targeting Priority Web. 7. Coordinate with Priority to obtain and apply security patches promptly once released. 8. Consider implementing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing. 9. Review and update incident response plans to include scenarios involving open redirect exploitation and phishing campaigns. 10. Conduct regular security assessments and penetration tests focusing on URL redirection mechanisms within Priority Web.