CVE-2025-64115 is classified as a CWE-601 open redirect vulnerability affecting the Movary web application, a tool used for tracking and rating movie watch histories. The vulnerability exists in versions up to and including 0.68.0, where the application uses the HTTP Referer header value directly for redirects in multiple settings endpoints without proper validation. This insecure handling allows an attacker to craft a malicious URL that, when visited by a user, causes the application to redirect the user to an attacker-controlled website. Such open redirects are commonly exploited in phishing campaigns to trick users into visiting malicious sites under the guise of a trusted domain, increasing the likelihood of credential theft or malware infection. The vulnerability does not require any authentication or privileges and can be triggered by simply enticing a user to click a crafted link, thus requiring user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required for the attack to succeed, but user interaction is actually needed here (UI:A). The scope is limited to confidentiality, integrity, and availability impacts being none, but the security impact lies in user deception and potential downstream attacks. The issue was addressed in Movary version 0.69.0 by presumably implementing proper validation or sanitization of redirect URLs to prevent open redirects. No known exploits have been reported in the wild as of the publication date.

For European organizations using Movary, this vulnerability primarily poses a phishing risk. Attackers can exploit the open redirect to lure users into visiting malicious websites that appear to be part of the trusted Movary domain, potentially leading to credential theft, malware infections, or other social engineering attacks. While the direct impact on system confidentiality, integrity, or availability is low, the indirect consequences could be significant if attackers leverage this vector to compromise user accounts or deploy further attacks. Organizations with users who frequently access Movary or integrate it into their workflows may face increased risk of targeted phishing campaigns. Additionally, the reputational damage from successful phishing attacks exploiting this vulnerability could affect trust in the organization’s security posture. Since no authentication is required, any user of the vulnerable Movary versions is at risk, increasing the attack surface. The lack of known exploits in the wild suggests limited current exploitation, but the presence of a public CVE and medium severity rating means attackers could develop exploits in the future.

The primary mitigation is to upgrade Movary installations to version 0.69.0 or later, where the vulnerability is fixed. Organizations should verify their current Movary version and plan immediate updates to eliminate the open redirect risk. Additionally, administrators should implement strict validation of all redirect URLs within the application, ensuring that redirects only point to trusted internal locations or explicitly whitelisted domains. Employing Content Security Policy (CSP) headers can help reduce the impact of phishing by restricting the domains that can be loaded or navigated to from the application. User awareness training should emphasize caution when clicking on links, especially those that appear to redirect through trusted domains. Monitoring web logs for unusual redirect patterns or suspicious HTTP Referer header values can help detect exploitation attempts. Finally, organizations should consider deploying anti-phishing tools and email filtering solutions to reduce the likelihood of successful phishing campaigns leveraging this vulnerability.