CVE-2025-32882
Published: 01 May 2025
Summary
CVE-2025-32882 is a medium-severity Missing Support for Integrity Check (CWE-353) vulnerability in Gotenna Mesh Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13282
Vulnerability details
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Cleartext GID (phone numbers) enables system owner/user discovery (T1033). Missing integrity checks make messages malleable, facilitating adversary-in-the-middle (T1557) and transmitted data manipulation (T1565.002). Injection of custom messages with arbitrary GID/Callsign enables masquerading account names (T1036.010).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Irrefutable evidence of actions requires integrity protection to prevent tampering or alteration of records.
Implements required signature-based integrity verification, addressing missing support for integrity checks on components.
Requiring control over the integrity of all changes directly compels developers to implement integrity verification mechanisms rather than omitting them.
Tamper detection fundamentally depends on integrity-checking capabilities that this control mandates or strengthens.
Explicitly requires support for integrity and authenticity checks on components before acceptance into the system.
Supplies the integrity-check artifacts (e.g., RRSIG, DNSKEY) that were previously missing for DNS responses.
Control explicitly adds support for integrity mechanisms such as checksums during preparation, preventing attacks that rely on missing integrity checks.
Directly supplies the missing integrity verification mechanism the weakness describes.