CVE-2025-32889 – This vulnerability allows attackers to send SMS... (How to Fix)

Q: What is the severity of CVE-2025-32889?

CVE-2025-32889 has a CVSS score of 7.3 (HIGH). This vulnerability allows attackers to send SMS messages through goTenna servers without authorization by using a hardcoded verification token in the app. It affects goTenna v1 device users running app version 5.5.3 with firmware 0.25.5. The hardcoded token bypasses authentication mechanisms for SMS functionality.

📋 TL;DR

This vulnerability allows attackers to send SMS messages through goTenna servers without authorization by using a hardcoded verification token in the app. It affects goTenna v1 device users running app version 5.5.3 with firmware 0.25.5. The hardcoded token bypasses authentication mechanisms for SMS functionality.

💻 Affected Systems

Products:

goTenna v1 devices

Versions: App version 5.5.3 with firmware 0.25.5

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the specific app and firmware combination; newer goTenna Mesh devices may not be affected.

📦 What is this software?

Gotenna by Gotenna

View all CVEs affecting Gotenna →

Mesh Firmware by Gotenna

View all CVEs affecting Mesh Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could send unlimited SMS messages through goTenna infrastructure, incurring significant costs for the company and potentially enabling spam, phishing, or harassment campaigns using the compromised service.

🟠

Likely Case

Unauthorized SMS sending leading to service abuse, potential financial losses for goTenna, and reputational damage from malicious messages appearing to originate from their service.

🟢

If Mitigated

Limited impact if token is rotated or SMS functionality is disabled, though legacy devices may remain vulnerable if not updated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The hardcoded token can be extracted from the app and used directly without authentication. Public GitHub repository demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://gotenna.com

Restart Required: No

Instructions:

1. Check goTenna website for security updates. 2. Update app if newer version is available. 3. Update device firmware if newer version is available. 4. Contact goTenna support for specific guidance.

🔧 Temporary Workarounds

Disable SMS functionality

all

Turn off SMS sending capabilities in the app settings if available

Network restriction

all

Block outbound SMS traffic from goTenna devices at network level

🧯 If You Can't Patch

Isolate goTenna devices on separate network segments
Monitor for unusual SMS traffic patterns from goTenna infrastructure

🔍 How to Verify

Check if Vulnerable:

Check app version in settings (5.5.3) and firmware version in device info (0.25.5)

Check Version:

Check within goTenna app settings under 'About' or 'Device Info'

Verify Fix Applied:

Verify app and firmware versions have been updated beyond vulnerable versions

📡 Detection & Monitoring

Log Indicators:

Unusual SMS sending patterns
Failed authentication attempts for SMS services

Network Indicators:

SMS traffic from unauthorized sources
Traffic to goTenna SMS API without proper authentication

SIEM Query:

source="gotenna" AND (event_type="sms_send" OR protocol="sms") AND NOT user_authenticated=true

📊 Metadata

CVE ID: CVE-2025-32889

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-798

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: May 1, 2025

Last Updated: June 20, 2025

🔗 References

https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities Third Party Advisory
https://gotenna.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32889, you might also want to check these: