CVE-2025-70963 identifies a critical incorrect access control vulnerability in Gophish versions up to 0.12.1, a popular open-source phishing simulation platform. The vulnerability arises because the administrative dashboard embeds each user's long-lived API key directly into the rendered HTML and JavaScript on every login session. This design flaw means that any script executing within the browser context—whether injected via cross-site scripting (XSS) or malicious browser extensions—can access these permanent API credentials. API keys are sensitive tokens that grant full programmatic access to the Gophish instance, enabling attackers to manipulate phishing campaigns, retrieve sensitive data, or escalate attacks. The vulnerability does not require additional authentication beyond dashboard login, nor does it require user interaction beyond normal use. Although no public exploits have been reported, the exposure of long-lived credentials in client-side code significantly increases the risk of compromise. The lack of a CVSS score indicates the need for manual severity assessment. The vulnerability primarily impacts confidentiality and integrity, as attackers can steal credentials and misuse them. The scope includes all users with dashboard access on vulnerable Gophish versions. The vulnerability is particularly concerning for organizations relying on Gophish for security awareness training, as compromised API keys could undermine trust and security posture.

For European organizations, this vulnerability poses a significant risk to the security of phishing simulation and awareness programs. Compromise of API keys could allow attackers to hijack phishing campaigns, potentially using them to launch real phishing attacks against employees or partners, thereby increasing the risk of credential theft and malware infections. This undermines the effectiveness of security training and could lead to reputational damage, regulatory penalties (especially under GDPR if personal data is exposed), and operational disruptions. Organizations using Gophish in regulated sectors such as finance, healthcare, and critical infrastructure are particularly vulnerable due to the sensitive nature of their data and the potential for cascading security failures. Additionally, attackers gaining control over phishing campaigns could manipulate training results, masking real vulnerabilities. The exposure of API keys also increases the risk of lateral movement within networks if attackers leverage compromised credentials to access other integrated systems. Overall, the vulnerability threatens confidentiality, integrity, and indirectly availability by enabling persistent unauthorized access.

Immediate mitigation steps include restricting access to the Gophish administrative dashboard to trusted networks and users only, using network segmentation and VPNs. Organizations should implement strict Content Security Policies (CSP) to prevent unauthorized scripts from running in the browser context, reducing the risk of credential theft via injected scripts. Monitoring and auditing dashboard access logs can help detect suspicious activity related to API key misuse. Until a patched version is released, consider rotating API keys regularly and limiting their permissions where possible. Educate users to avoid installing untrusted browser extensions and to be vigilant against phishing attempts that could lead to session hijacking. Once a patch or updated Gophish version is available, promptly apply it to remove the exposure of API keys in the client-side code. Additionally, consider implementing multi-factor authentication (MFA) for dashboard access to add an extra layer of security. Finally, review and update incident response plans to address potential API key compromise scenarios.