Skip to main content

CVE-2025-7365: Origin Validation Error in Red Hat Red Hat Build of Keycloak

Medium
VulnerabilityCVE-2025-7365cvecve-2025-7365
Published: Thu Jul 10 2025 (07/10/2025, 14:20:45 UTC)
Source: CVE Database V5
Vendor/Project: Red Hat
Product: Red Hat Build of Keycloak

Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

AI-Powered Analysis

AILast updated: 07/10/2025, 14:46:33 UTC

Technical Analysis

CVE-2025-7365 is a medium-severity vulnerability identified in the Red Hat Build of Keycloak, an open-source identity and access management solution widely used for single sign-on and identity federation. The flaw arises during the process where an authenticated attacker attempts to merge their account with another existing account via an identity provider (IdP) login. After initiating the merge, the attacker is prompted to review profile information, during which they can modify their email address to match that of a victim's account. This triggers a verification email sent to the victim's email address. Critically, the verification email does not include the attacker's email address, which creates a phishing vector. If the victim clicks the verification link, the attacker gains unauthorized access to the victim's account. The vulnerability exploits an origin validation error and insufficient verification controls during the account merge process, allowing an attacker to hijack accounts by manipulating email verification flows. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, high attack complexity, low privileges required, user interaction needed, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No known exploits are reported in the wild yet, and no patches or mitigations have been linked at the time of publication. This vulnerability highlights a critical weakness in the identity federation and account linking mechanisms, potentially undermining trust in authentication workflows and enabling account takeover through social engineering and phishing.

Potential Impact

For European organizations, the impact of CVE-2025-7365 is significant, especially for those relying on Red Hat Build of Keycloak for identity and access management. Successful exploitation can lead to unauthorized account access, compromising sensitive personal and corporate data, and potentially enabling lateral movement within enterprise networks. The phishing aspect increases risk as victims may unknowingly facilitate account takeover. This can result in data breaches, regulatory non-compliance (notably GDPR violations due to unauthorized access to personal data), reputational damage, and financial losses. Organizations in sectors with high identity assurance requirements such as finance, healthcare, government, and critical infrastructure are particularly vulnerable. The medium CVSS score reflects the need for user interaction and higher attack complexity, but the confidentiality impact is high, emphasizing the risk to sensitive information. Given the widespread use of Keycloak in European enterprises and public sector entities, this vulnerability could have broad implications if exploited.

Mitigation Recommendations

To mitigate CVE-2025-7365, organizations should: 1) Immediately monitor for updates and patches from Red Hat and apply them as soon as they become available. 2) Review and harden account merge and identity provider login workflows to ensure strict validation of email changes and verification processes, including ensuring verification emails clearly indicate the source and intended recipient. 3) Implement multi-factor authentication (MFA) to reduce the risk of account takeover even if email verification is compromised. 4) Educate users about phishing risks related to verification emails and encourage verification of email authenticity before clicking links. 5) Employ anomaly detection to identify unusual account merge or email change activities. 6) Restrict the ability to merge accounts or change critical profile attributes to higher privilege roles or require additional verification steps. 7) Conduct regular security assessments of identity federation configurations and workflows. 8) Log and audit all account merge and email change events for forensic analysis. These measures go beyond generic advice by focusing on the specific attack vector and workflow exploited in this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
redhat
Date Reserved
2025-07-08T18:22:15.734Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686fceada83201eaaca818f9

Added to database: 7/10/2025, 2:31:09 PM

Last enriched: 7/10/2025, 2:46:33 PM

Last updated: 7/10/2025, 8:31:07 PM

Views: 5

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats