CVE-2025-60935 is an open redirect vulnerability affecting the login endpoint of Blitz Panel version 1.17.0. The vulnerability stems from the next_url parameter, which is intended to redirect users after successful authentication. However, the parameter lacks proper validation or sanitization, enabling attackers to craft URLs that redirect users to arbitrary, potentially malicious domains. This can be exploited by attackers to conduct phishing campaigns by luring users to fake login pages or steal authentication tokens after login, compromising user sessions and credentials. The vulnerability does not require prior authentication to initiate the redirect, but the malicious effects manifest after the user logs in. No CVSS score has been assigned yet, and no public exploits have been reported, but the risk remains significant due to the potential for credential theft and session hijacking. The vulnerability highlights the importance of secure handling of redirect parameters to prevent open redirect attacks, which are commonly used in social engineering and phishing attacks. Organizations using Blitz Panel should audit their login endpoints and implement strict validation or whitelisting of redirect URLs to mitigate this risk.

For European organizations, this vulnerability could lead to compromised user credentials and session tokens, enabling attackers to gain unauthorized access to sensitive systems managed via Blitz Panel. This could result in data breaches, unauthorized administrative actions, and lateral movement within networks. The phishing potential increases the risk of widespread credential theft, especially in sectors with high-value targets such as finance, healthcare, and critical infrastructure. The open redirect can also damage organizational reputation and user trust. Since Blitz Panel is a management tool, exploitation could indirectly affect availability and integrity if attackers leverage stolen credentials to deploy malicious configurations or disrupt services. The lack of known exploits currently provides a window for proactive mitigation, but the vulnerability’s presence in a login mechanism makes it a high-priority issue for organizations relying on this software.

Organizations should immediately audit their use of Blitz Panel, specifically version 1.17.0, and identify any exposed login endpoints utilizing the next_url parameter. Mitigation steps include implementing strict validation or whitelisting of redirect URLs to ensure only trusted domains are allowed. If possible, disable the use of open redirects entirely or replace the next_url parameter with a safer mechanism such as server-side session tracking for post-login redirection. Educate users about the risks of phishing and encourage vigilance when clicking on login URLs. Monitor logs for suspicious redirect attempts and anomalous login activities. Applying patches or updates from the vendor once available is critical. Additionally, consider implementing multi-factor authentication (MFA) to reduce the impact of stolen credentials. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious redirect parameters.