CVE-2025-7365 is a medium-severity vulnerability identified in the Red Hat Build of Keycloak, an open-source identity and access management solution widely used for single sign-on and identity federation. The flaw arises during the process where an authenticated attacker attempts to merge their account with another existing account via an identity provider (IdP) login. After initiating the merge, the attacker is prompted to review profile information, during which they can modify their email address to match that of a victim's account. This triggers a verification email sent to the victim's email address. Critically, the verification email does not include the attacker's email address, which creates a phishing vector. If the victim clicks the verification link, the attacker gains unauthorized access to the victim's account. The vulnerability exploits an origin validation error and insufficient verification controls during the account merge process, allowing an attacker to hijack accounts by manipulating email verification flows. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, high attack complexity, low privileges required, user interaction needed, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No known exploits are reported in the wild yet, and no patches or mitigations have been linked at the time of publication. This vulnerability highlights a critical weakness in the identity federation and account linking mechanisms, potentially undermining trust in authentication workflows and enabling account takeover through social engineering and phishing.

For European organizations, the impact of CVE-2025-7365 is significant, especially for those relying on Red Hat Build of Keycloak for identity and access management. Successful exploitation can lead to unauthorized account access, compromising sensitive personal and corporate data, and potentially enabling lateral movement within enterprise networks. The phishing aspect increases risk as victims may unknowingly facilitate account takeover. This can result in data breaches, regulatory non-compliance (notably GDPR violations due to unauthorized access to personal data), reputational damage, and financial losses. Organizations in sectors with high identity assurance requirements such as finance, healthcare, government, and critical infrastructure are particularly vulnerable. The medium CVSS score reflects the need for user interaction and higher attack complexity, but the confidentiality impact is high, emphasizing the risk to sensitive information. Given the widespread use of Keycloak in European enterprises and public sector entities, this vulnerability could have broad implications if exploited.

To mitigate CVE-2025-7365, organizations should: 1) Immediately monitor for updates and patches from Red Hat and apply them as soon as they become available. 2) Review and harden account merge and identity provider login workflows to ensure strict validation of email changes and verification processes, including ensuring verification emails clearly indicate the source and intended recipient. 3) Implement multi-factor authentication (MFA) to reduce the risk of account takeover even if email verification is compromised. 4) Educate users about phishing risks related to verification emails and encourage verification of email authenticity before clicking links. 5) Employ anomaly detection to identify unusual account merge or email change activities. 6) Restrict the ability to merge accounts or change critical profile attributes to higher privilege roles or require additional verification steps. 7) Conduct regular security assessments of identity federation configurations and workflows. 8) Log and audit all account merge and email change events for forensic analysis. These measures go beyond generic advice by focusing on the specific attack vector and workflow exploited in this vulnerability.