CVE-2025-27606
📋 TL;DR
Element Android up to version 1.6.32 fails to properly logout users after exceeding configured PIN attempt limits, allowing attackers with physical device access to brute-force PINs. This affects all users of vulnerable Element Android versions who have PIN protection enabled. The vulnerability is fixed in version 1.6.34.
💻 Affected Systems
- Element Android
📦 What is this software?
Element by Element
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains unauthorized access to encrypted messaging data, potentially exposing sensitive communications and account takeover.
Likely Case
Local attacker with physical device access bypasses PIN protection to access the Element Android application.
If Mitigated
With proper device security controls (full disk encryption, strong device passcode), impact is limited to application-level data exposure.
🎯 Exploit Status
Exploitation requires physical device access and knowledge that PIN protection is enabled. Simple brute-force attack once initial PIN attempts are exhausted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.34
Vendor Advisory: https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch
Restart Required: Yes
Instructions:
1. Open Google Play Store 2. Search for Element Android 3. Update to version 1.6.34 or later 4. Restart the application
🔧 Temporary Workarounds
Disable PIN Protection
androidTemporarily disable PIN protection in Element Android settings until patched
Open Element Android > Settings > Security > Disable PIN
Enable Device-Level Security
androidUse strong device passcode and full disk encryption to protect against physical access attacks
Android Settings > Security > Screen lock > Set strong passcode
Android Settings > Security > Encryption & credentials > Encrypt device
🧯 If You Can't Patch
- Disable PIN protection in Element Android settings
- Enable device-level encryption and strong passcode to limit impact of physical access
🔍 How to Verify
Check if Vulnerable:
Check Element Android version in app settings. If version is 1.6.32 or earlier and PIN protection is enabled, the system is vulnerable.Check Version:
Open Element Android > Settings > About > VersionVerify Fix Applied:
Update to version 1.6.34 or later and verify PIN logout occurs correctly after exceeding attempt limits.📡 Detection & Monitoring
Log Indicators:
- Multiple failed PIN attempts without logout
- PIN bypass attempts in application logs
Network Indicators:
- None - this is a local physical access vulnerability
SIEM Query:
Not applicable for local physical access vulnerabilities