CVE-2025-0970 – This vulnerability in Zenvia Movidesk allows at... (How to Fix)

Q: What is the severity of CVE-2025-0970?

CVE-2025-0970 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Zenvia Movidesk allows attackers to redirect users to malicious websites by manipulating the ReturnUrl parameter in the login page. It affects all users of Movidesk versions up to 25.01.22. The attack can be launched remotely without authentication.

📋 TL;DR

This vulnerability in Zenvia Movidesk allows attackers to redirect users to malicious websites by manipulating the ReturnUrl parameter in the login page. It affects all users of Movidesk versions up to 25.01.22. The attack can be launched remotely without authentication.

💻 Affected Systems

Products:

Zenvia Movidesk

Versions: Up to version 25.01.22

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /Account/Login endpoint with ReturnUrl parameter manipulation.

📦 What is this software?

Movidesk by Zenvia

View all CVEs affecting Movidesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to phishing sites that steal credentials or deliver malware, potentially leading to account compromise or system infection.

🟠

Likely Case

Attackers use the redirect for phishing campaigns to harvest user credentials or distribute malicious links.

🟢

If Mitigated

With proper user awareness training and URL filtering, the impact is limited to potential user confusion from unexpected redirects.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been publicly disclosed and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.01.22.245a473c54

Vendor Advisory: Not provided in CVE details

Restart Required: No

Instructions:

1. Upgrade Zenvia Movidesk to version 25.01.22.245a473c54 or later. 2. Verify the upgrade completed successfully. 3. Test the /Account/Login functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to only allow relative URLs or trusted domains in ReturnUrl parameter

Configuration depends on web server and application framework

WAF Rule

all

Deploy web application firewall rules to block malicious redirect attempts

Add rule to detect and block suspicious ReturnUrl parameters containing external domains

🧯 If You Can't Patch

Implement strict URL validation at the application level to only allow relative URLs in ReturnUrl parameter
Deploy network monitoring to detect and block redirects to untrusted domains

🔍 How to Verify

Check if Vulnerable:

Test by accessing /Account/Login?ReturnUrl=https://malicious.example.com and checking if redirect occurs

Check Version:

Check Movidesk admin panel or application version file for current version

Verify Fix Applied:

After patching, test the same URL and verify no redirect occurs or only relative URLs are accepted

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /Account/Login with external URLs in ReturnUrl parameter
Unexpected redirect responses from login page

Network Indicators:

Outbound connections to unexpected domains following login attempts
Redirect chains involving untrusted domains

SIEM Query:

source="web_server" AND uri="/Account/Login" AND query_string="*ReturnUrl=*" | where query_string contains "http://" OR "https://"

📊 Metadata

CVE ID: CVE-2025-0970

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-601

EPSS Score: 0.07% exploit probability (22.3th percentile)

Published: February 2, 2025

Last Updated: October 10, 2025

🔗 References

https://vuldb.com/?ctiid.294361 Permissions Required,VDB Entry
https://vuldb.com/?id.294361 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.485985 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0970, you might also want to check these: