CVE-2025-32884 – goTenna Mesh devices with vulnerable app/firmwa... (How to Fix)

📋 TL;DR

goTenna Mesh devices with vulnerable app/firmware versions transmit user phone numbers unencrypted in messages by default. This allows attackers intercepting communications to link device activity to specific individuals. Users who haven't opted out of phone number-based GIDs are affected.

💻 Affected Systems

Products:

goTenna Mesh devices

Versions: App 5.5.3 and firmware 1.1.12 (specific vulnerable combination)

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires both specific app and firmware versions; GID defaults to phone number unless user explicitly opts out

📦 What is this software?

Gotenna by Gotenna

View all CVEs affecting Gotenna →

Mesh Firmware by Gotenna

View all CVEs affecting Mesh Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept communications and deanonymize users, enabling targeted surveillance, harassment, or linking communications to real identities.

🟠

Likely Case

Passive interception reveals user identities and communication patterns, compromising privacy in mesh network communications.

🟢

If Mitigated

With proper opt-out configuration and network segmentation, impact limited to metadata exposure without personal identifiers.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires intercepting mesh network communications; no authentication needed to read unencrypted GID field

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: https://gotenna.com

Restart Required: No

Instructions:

1. Check goTenna website for security updates
2. Update app and firmware when available
3. Manually opt out of phone number GID in app settings

🔧 Temporary Workarounds

Opt out of phone number GID

all

Change GID from default phone number to custom identifier

Disable vulnerable versions

all

Stop using app 5.5.3 with firmware 1.1.12 combination

🧯 If You Can't Patch

Immediately opt out of phone number GID in app settings
Limit use of vulnerable devices to non-sensitive communications only

🔍 How to Verify

Check if Vulnerable:

Check app version in settings (5.5.3) and firmware version (1.1.12) in device info

Check Version:

N/A - check via mobile app interface

Verify Fix Applied:

Verify GID in messages shows custom identifier instead of phone number

📡 Detection & Monitoring

Log Indicators:

Unencrypted GID fields in message logs containing phone number patterns

Network Indicators:

Cleartext transmission of numeric identifiers in mesh protocol

SIEM Query:

N/A - primarily requires physical/logical network monitoring

📊 Metadata

CVE ID: CVE-2025-32884

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-319

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: May 1, 2025

Last Updated: June 20, 2025

🔗 References

https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities Third Party Advisory
https://gotenna.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32884, you might also want to check these: