CVE-2025-32881 – This vulnerability exposes users' phone numbers... (How to Fix)

📋 TL;DR

This vulnerability exposes users' phone numbers in goTenna v1 devices by transmitting them unencrypted as Group IDs (GIDs) in messages. Anyone using goTenna v1 devices with the specified app and firmware versions is affected, potentially allowing attackers to link communications to specific individuals.

💻 Affected Systems

Products:

goTenna v1 devices

Versions: App version 5.5.3, Firmware version 0.25.5

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration uses phone number as GID unless user explicitly opts out. The vulnerability exists in both the mobile app and device firmware.

📦 What is this software?

Gotenna by Gotenna

View all CVEs affecting Gotenna →

Mesh Firmware by Gotenna

View all CVEs affecting Mesh Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept communications, deanonymize users by linking phone numbers to identities, track individuals' movements and communications, and potentially conduct targeted social engineering or harassment campaigns.

🟠

Likely Case

Passive interception reveals users' phone numbers during normal mesh network communications, allowing basic identification and potential correlation with other data sources.

🟢

If Mitigated

With proper encryption or GID anonymization, only authorized participants can identify users, maintaining communication privacy.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires physical proximity to intercept radio communications. The GitHub repository contains detailed analysis and proof of concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://gotenna.com

Restart Required: No

Instructions:

1. Check goTenna website for security updates
2. Update app through official app store
3. Update device firmware if available
4. Consider disabling phone number as GID in settings

🔧 Temporary Workarounds

Disable Phone Number as GID

all

Manually opt out of using phone number as Group ID in app settings

Use Custom GID

all

Set a custom, non-identifying Group ID instead of default phone number

🧯 If You Can't Patch

Limit device use to non-sensitive communications only
Physically secure devices to prevent unauthorized access to communications

🔍 How to Verify

Check if Vulnerable:

Check app version in settings (should be 5.5.3) and firmware version in device info (should be 0.25.5). Verify if phone number is being used as GID.

Check Version:

Check within goTenna app settings for version information

Verify Fix Applied:

Confirm app and firmware versions are updated beyond vulnerable versions. Verify GID is not displaying phone number in messages.

📡 Detection & Monitoring

Log Indicators:

Unusual GID patterns in device logs
Multiple failed GID modification attempts

Network Indicators:

Intercepted radio communications containing phone numbers in cleartext
Unusual mesh network traffic patterns

SIEM Query:

Not applicable for mesh network devices without centralized logging

📊 Metadata

CVE ID: CVE-2025-32881

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-319

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: May 1, 2025

Last Updated: June 20, 2025

🔗 References

https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities Third Party Advisory
https://gotenna.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32881, you might also want to check these: