CVE-2025-64781 is a vulnerability identified in Japan Total System Co., Ltd.'s GroupSession collaboration software, specifically in the Free edition, byCloud, and ZION versions prior to 5.7.1. The root cause is an insecure default setting where the 'External page display restriction' is configured as 'Do not limit' upon installation or initialization. This misconfiguration allows an attacker to craft URLs that, when accessed by a user, cause the application to redirect the user to arbitrary external websites. This behavior can be exploited for phishing attacks, social engineering, or redirecting users to malicious domains without their knowledge. The vulnerability has a CVSS 3.0 base score of 4.7, indicating medium severity. It is remotely exploitable over the network without authentication (AV:N, PR:N), requires low attack complexity (AC:L), but does require user interaction (UI:R). The scope is changed (S:C) because the vulnerability affects components beyond the initially vulnerable component, and the impact is limited to integrity (I:L) with no confidentiality or availability impact. No known exploits have been reported in the wild as of the publication date. The vulnerability can be mitigated by updating to version 5.7.1 or later, which presumably changes the default configuration to restrict external page displays, thereby preventing arbitrary redirection.

For European organizations, this vulnerability poses a moderate risk primarily related to user trust and potential phishing or social engineering attacks. If exploited, users could be redirected to malicious websites that may attempt to harvest credentials, deliver malware, or conduct fraud. While the vulnerability does not directly compromise system confidentiality or availability, the integrity of user interactions and the organization's reputation could be harmed. Organizations relying on GroupSession for internal collaboration or external communications could see increased risk of targeted phishing campaigns leveraging this redirect capability. The impact is more pronounced in sectors with high reliance on secure collaboration tools, such as finance, government, and critical infrastructure. Additionally, organizations with less mature user awareness programs may be more vulnerable to exploitation via this vector.

1. Immediately upgrade all affected GroupSession products (Free edition, byCloud, ZION) to version 5.7.1 or later, where the insecure default is corrected. 2. If upgrading is not immediately possible, manually change the 'External page display restriction' setting from 'Do not limit' to a restrictive mode that prevents arbitrary external redirects. 3. Implement URL filtering and web proxy controls to detect and block suspicious redirection attempts originating from GroupSession URLs. 4. Conduct user awareness training focused on recognizing suspicious URLs and the risks of clicking on links from untrusted sources. 5. Monitor logs for unusual redirect patterns or spikes in external URL accesses from GroupSession. 6. Consider deploying web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting this vulnerability. 7. Coordinate with Japan Total System Co., Ltd. for any additional patches or security advisories related to this vulnerability.