CVE-2025-7702 is an Open Redirect vulnerability (CWE-601) identified in the Manageable Email Sending System developed by Pusula Communication Information Internet Industry and Trade Ltd. Co. This vulnerability affects versions up to and including 2025.06 and was published on September 19, 2025. The flaw allows an attacker to craft malicious URLs that redirect users from a trusted domain to an untrusted, potentially malicious external site. This occurs because the application does not properly validate or restrict URL parameters used for redirection, enabling exploitation of user trust in the legitimate domain. The vulnerability has a CVSS 3.1 base score of 4.7 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact is limited to confidentiality (C:L) with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of phishing, social engineering, and session hijacking attacks by redirecting users to malicious sites that could harvest credentials or deliver malware. Since this affects an email sending system, attackers could leverage this to manipulate email recipients into clicking malicious links appearing to originate from a trusted source, increasing the likelihood of successful attacks.

For European organizations using the Manageable Email Sending System, this vulnerability could facilitate targeted phishing campaigns and social engineering attacks that exploit user trust in legitimate email communications. The open redirect could be used to bypass security filters or to disguise malicious URLs, increasing the risk of credential theft, malware infection, or unauthorized access to sensitive information. This is particularly concerning for sectors with high email communication volumes such as finance, healthcare, and government institutions. The confidentiality impact, while rated low, can lead to significant indirect consequences if attackers gain access to user credentials or sensitive data through redirected phishing sites. Additionally, the changed scope indicates that the vulnerability could affect multiple components or systems interacting with the email platform, potentially amplifying the attack surface. The medium severity rating suggests that while the vulnerability is not critical, it should not be ignored, especially in environments where email is a primary communication vector and trust exploitation can have cascading effects.

Organizations should immediately verify if they are running affected versions (<=2025.06) of the Manageable Email Sending System and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation and sanitization on all URL parameters used for redirection to ensure only trusted, whitelisted domains are allowed. Employ web application firewalls (WAFs) with rules designed to detect and block open redirect attempts. Educate users on recognizing suspicious links and encourage verification of URLs before clicking, especially in emails. Additionally, implement multi-factor authentication (MFA) to reduce the impact of credential compromise resulting from phishing. Monitor email traffic for unusual redirect patterns or spikes in user complaints related to phishing. Finally, coordinate with the vendor for timely patch releases and security advisories to stay updated on remediation progress.