CVE-2025-61782 is an open redirect vulnerability classified under CWE-601 found in the OpenCTI platform, an open-source cyber threat intelligence management tool. The flaw exists in the SAML authentication endpoint (/auth/saml/callback) prior to version 6.8.3. Specifically, the vulnerability arises from improper validation of the RelayState parameter, which is intended to preserve state information during SAML authentication flows. An attacker can craft a malicious URL that manipulates this parameter to redirect authenticated or unauthenticated users to arbitrary external websites. This redirection can be exploited to conduct phishing attacks, steal credentials, or redirect users to malicious sites, potentially leading to further compromise. The vulnerability does not require any privileges or authentication but does require user interaction to follow the malicious link. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector as network, low attack complexity, no privileges required, user interaction required, and limited impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild as of the publication date. The issue was resolved in OpenCTI version 6.8.3 by properly validating or restricting the RelayState parameter to prevent arbitrary redirection.

For European organizations using OpenCTI versions prior to 6.8.3, this vulnerability poses a moderate risk. Successful exploitation can lead to phishing campaigns that leverage trusted OpenCTI URLs to redirect users to malicious sites, increasing the likelihood of credential theft or malware infection. This can compromise user accounts and potentially expose sensitive cyber threat intelligence data. While the vulnerability does not directly allow system compromise or data exfiltration, the indirect effects through social engineering can be significant. Organizations involved in cybersecurity operations, government CERTs, and critical infrastructure sectors that rely on OpenCTI for threat intelligence sharing are particularly at risk. The medium severity indicates that while the vulnerability is not critical, it can be a stepping stone in multi-stage attacks targeting European entities. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed.

European organizations should immediately upgrade OpenCTI installations to version 6.8.3 or later where the vulnerability is patched. Until upgrade is possible, implement strict input validation and sanitization on the RelayState parameter at the web application firewall (WAF) or reverse proxy level to block suspicious or external redirect URLs. Educate users about the risks of clicking on unexpected links, especially those involving authentication flows. Monitor logs for unusual redirect patterns or access to the /auth/saml/callback endpoint with suspicious RelayState values. Consider implementing additional SAML security controls such as validating RelayState against a whitelist of allowed URLs or enforcing strict origin checks. Regularly review and update incident response plans to address potential phishing or credential theft attempts stemming from this vulnerability. Finally, coordinate with OpenCTI community and vendors for timely updates and security advisories.