CVE-2025-9193 is a medium-severity open redirect vulnerability identified in the TOTVS Portal Meu RH product, specifically affecting versions up to 12.1.17. The vulnerability resides in the Password Reset Handler component, where manipulation of the redirectUrl argument can lead to an open redirect condition. This flaw allows an attacker to craft a malicious URL that, when clicked by a user, redirects them to an arbitrary external site. The vulnerability can be exploited remotely without authentication, although user interaction is required to trigger the redirect. The vendor has indicated that this issue does not exist in currently supported releases, as the redirectUrl parameter is ignored in those versions. However, the affected versions are no longer supported, and the vulnerability remains present in them. Exploit code has been published, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1, reflecting a medium severity level due to the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact on confidentiality and availability is minimal, but the integrity of user trust and potential for phishing or social engineering attacks is significant. The vulnerability does not affect the availability or integrity of the system directly but can be leveraged to redirect users to malicious sites, potentially facilitating further attacks such as credential theft or malware delivery. The recommended mitigation is to upgrade to versions 12.1.2410.274, 12.1.2502.178, or 12.1.2506.121, where the vulnerability has been addressed by ignoring the redirectUrl parameter. Since the affected versions are no longer supported, organizations still running these versions should prioritize upgrading or consider alternative mitigations such as implementing web application firewalls (WAFs) to detect and block malicious redirect attempts.

For European organizations using TOTVS Portal Meu RH versions up to 12.1.17, this vulnerability poses a risk primarily related to user trust and phishing attacks. Attackers can exploit the open redirect to lure users into visiting malicious websites under the guise of legitimate password reset flows, potentially leading to credential compromise or malware infections. While the direct impact on system confidentiality, integrity, or availability is limited, the indirect consequences can be severe, especially in sectors handling sensitive employee or HR data. This could result in reputational damage, regulatory scrutiny under GDPR for insufficient protection of user data, and potential financial losses. Organizations relying on unsupported versions face increased risk due to the lack of vendor patches and official support. The presence of published exploits heightens the urgency for mitigation. Additionally, since the vulnerability requires user interaction, the effectiveness of social engineering campaigns may increase, targeting employees to exploit the flaw.

1. Immediate upgrade to supported TOTVS Portal Meu RH versions (12.1.2410.274, 12.1.2502.178, or 12.1.2506.121) that have addressed the vulnerability by ignoring the redirectUrl parameter. 2. For organizations unable to upgrade promptly, deploy web application firewalls (WAFs) with rules to detect and block suspicious redirectUrl parameters or unusual redirect patterns in HTTP requests. 3. Implement strict input validation and sanitization on URL parameters at the application or proxy level to prevent open redirect exploitation. 4. Conduct user awareness training focusing on phishing and social engineering risks, emphasizing caution when clicking on password reset or similar links. 5. Monitor logs for unusual redirect activities or spikes in password reset requests that could indicate exploitation attempts. 6. Consider isolating or restricting access to the affected Portal Meu RH instances until upgrades can be applied, especially if exposed to the internet. 7. Review and update incident response plans to include scenarios involving open redirect exploitation and phishing campaigns.