Login Sign Up

CVE-2025-10290

6.5 MEDIUM

📋 TL;DR

This vulnerability in Focus for iOS allows attackers to spoof websites by tricking users into opening malicious links through the contextual menu. When users long-press on specially crafted URLs, the browser fails to load the page but doesn't refresh the toolbar, creating a visual deception. This affects Focus for iOS versions below 143.0.

💻 Affected Systems

Products:
  • Focus for iOS
Versions: All versions < 143.0
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Focus browser app on iOS devices; requires user interaction through long-press contextual menu

📦 What is this software?

Firefox Focus by Mozilla

View all CVEs affecting Firefox Focus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into entering sensitive information on spoofed websites that appear legitimate, leading to credential theft, financial fraud, or malware installation.

🟠

Likely Case

Attackers could create convincing phishing pages that appear to be legitimate sites, potentially harvesting login credentials or personal information from targeted users.

🟢

If Mitigated

With proper user awareness training and updated software, the risk is limited to sophisticated targeted attacks rather than widespread exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to coerce users into opening links via long-press; not a drive-by exploit

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 143.0 or later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-76/

Restart Required: No

Instructions:

1. Open the App Store on your iOS device. 2. Tap your profile icon. 3. Scroll to find Focus for iOS. 4. Tap 'Update' next to Focus. 5. Wait for the update to complete.

🔧 Temporary Workarounds

Avoid long-press link opening

all

Instruct users to avoid using the long-press contextual menu to open links and instead tap links normally

🧯 If You Can't Patch

  • Disable Focus browser and use alternative browsers that are up-to-date
  • Implement user awareness training about phishing risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check Focus app version in iOS Settings > General > iPhone Storage > Focus

Check Version:

Not applicable for iOS apps; check via device settings

Verify Fix Applied:

Verify Focus version is 143.0 or higher in app settings

📡 Detection & Monitoring

Log Indicators:

  • Unusual patterns of failed URL loads in browser logs
  • Multiple reports of suspicious website behavior from users

Network Indicators:

  • Traffic to domains that mimic legitimate sites but have unusual URL structures

SIEM Query:

Not typically applicable for client-side mobile browser vulnerabilities

📊 Metadata

CVE ID: CVE-2025-10290
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-451
EPSS Score: 0.02% exploit probability (5.4th percentile)
Published: September 16, 2025
Last Updated: September 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10290, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-2634 9.8

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)