Cyber Resilience

CVE-2025-13476

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 26.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-13476 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Rakuten Viber. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-30 (Concealment and Misdirection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-13476 is a vulnerability in Rakuten Viber's Cloak mode, affecting the Android version v25.7.2.0g and Windows versions from v25.6.0.0 to v25.8.1.0. The issue stems from the use of a static and predictable TLS ClientHello fingerprint that lacks extension diversity, enabling Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic intended for censorship circumvention. Classified under CWE-327, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-05.

Network-based attackers, including ISPs, enterprise administrators, or censorship authorities with DPI tools, can exploit this vulnerability remotely without authentication or user interaction. By matching the distinctive TLS fingerprint, they can selectively detect and block Viber Cloak mode proxy traffic, defeating its purpose and potentially disrupting user communications or access in restricted environments.

Mitigation guidance is available in advisories such as the CERT vulnerability note at https://www.kb.cert.org/vuls/id/772695; security practitioners should also consult the Viber download page at https://www.viber.com/en/download/ for any patched versions or updates addressing this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic, undermining censorship circumvention. (CWE-327)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Why these techniques?

Vulnerability enables remote network adversaries to perform DPI-based traffic identification and selective blocking of the flawed proxy channel.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66597Shared CWE-327
CVE-2019-25651Shared CWE-327
CVE-2024-31896Shared CWE-327
CVE-2025-63912Shared CWE-327
CVE-2025-69929Shared CWE-327
CVE-2026-1627Shared CWE-327
CVE-2025-14480Shared CWE-327
CVE-2026-34950Shared CWE-327
CVE-2026-22585Shared CWE-327
CVE-2026-24785Shared CWE-327

Affected Assets

rakuten
viber
9.3.0.6 · 25.6.0 — 25.8.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the static TLS ClientHello fingerprint flaw in vulnerable Viber Cloak mode versions.

prevent

Mandates implementation of concealment and misdirection techniques, such as TLS ClientHello extension diversity, to prevent DPI identification of Viber proxy traffic.

detect

Enables vulnerability scanning and monitoring to identify the predictable TLS fingerprint vulnerability in deployed Viber applications.

References