CVE-2025-13476

Critical

Published: 05 March 2026

Published

05 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13476 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Rakuten Viber. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-30 (Concealment and Misdirection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Sniffing (T1040). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the static TLS ClientHello fingerprint flaw in vulnerable Viber Cloak mode versions.

SC-30 Concealment and Misdirection good match

prevent

Mandates implementation of concealment and misdirection techniques, such as TLS ClientHello extension diversity, to prevent DPI identification of Viber proxy traffic.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning and monitoring to identify the predictable TLS fingerprint vulnerability in deployed Viber applications.

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote network adversaries to perform DPI-based traffic identification and selective blocking of the flawed proxy channel.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic, undermining censorship circumvention. (CWE-327)

Deeper analysisAI

CVE-2025-13476 is a vulnerability in Rakuten Viber's Cloak mode, affecting the Android version v25.7.2.0g and Windows versions from v25.6.0.0 to v25.8.1.0. The issue stems from the use of a static and predictable TLS ClientHello fingerprint that lacks extension diversity, enabling Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic intended for censorship circumvention. Classified under CWE-327, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-05.

Network-based attackers, including ISPs, enterprise administrators, or censorship authorities with DPI tools, can exploit this vulnerability remotely without authentication or user interaction. By matching the distinctive TLS fingerprint, they can selectively detect and block Viber Cloak mode proxy traffic, defeating its purpose and potentially disrupting user communications or access in restricted environments.

Mitigation guidance is available in advisories such as the CERT vulnerability note at https://www.kb.cert.org/vuls/id/772695; security practitioners should also consult the Viber download page at https://www.viber.com/en/download/ for any patched versions or updates addressing this issue.