CVE-2025-8066 is an Open Redirect vulnerability (CWE-601) identified in Bunkerity's Bunker Web version 1.6.2, a web application running on Linux. This vulnerability allows an attacker to craft malicious URLs that redirect users to untrusted external sites without proper validation. The flaw arises because the application fails to adequately verify or sanitize URL parameters used for redirection, enabling attackers to exploit this behavior for phishing attacks. When a user clicks on a manipulated link, they are redirected to a malicious site that may impersonate legitimate services, potentially leading to credential theft or malware delivery. The vulnerability has a CVSS 4.0 base score of 4.8 (medium severity), indicating it is network exploitable with low attack complexity and no privileges required, but it requires user interaction. The impact on confidentiality is limited, with some integrity impact due to phishing potential, and no direct availability impact. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in July 2025 and published in August 2025, indicating recent discovery and disclosure.

For European organizations using Bunker Web 1.6.2, this vulnerability poses a moderate risk primarily through social engineering and phishing campaigns. Attackers could leverage the open redirect to trick employees or customers into visiting malicious websites that mimic trusted portals, potentially leading to credential compromise or malware infections. This could result in unauthorized access to sensitive systems or data breaches. Although the vulnerability itself does not allow direct system compromise, the phishing vector could be a stepping stone for more severe attacks. Organizations handling sensitive personal data under GDPR could face regulatory scrutiny if phishing leads to data breaches. Additionally, sectors with high reliance on secure web portals, such as finance, healthcare, and government services, may experience reputational damage and operational disruptions if users fall victim to these attacks.

1. Immediate mitigation should include implementing strict validation and sanitization of all URL parameters used for redirection within Bunker Web, ensuring only trusted internal URLs are allowed. 2. Employ allowlists for redirect destinations rather than blacklists to prevent bypass. 3. Educate users and employees about the risks of clicking on suspicious links, especially those appearing to come from Bunker Web. 4. Monitor web traffic for unusual redirect patterns and phishing attempts targeting the organization. 5. Deploy web application firewalls (WAFs) with rules to detect and block open redirect exploitation attempts. 6. Coordinate with Bunkerity to obtain and apply patches or updates once available. 7. Consider implementing multi-factor authentication (MFA) on affected portals to reduce the impact of credential theft. 8. Conduct phishing simulation exercises to raise awareness and resilience among users.