Cyber Resilience

CVE-2025-32882

Medium

Published: 01 May 2025

Published
01 May 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0013 32.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32882 is a medium-severity Missing Support for Integrity Check (CWE-353) vulnerability in Gotenna Mesh Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1033 System Owner/User Discovery Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
T1036.010 Masquerade Account Name Stealth
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.
Why these techniques?

Cleartext GID (phone numbers) enables system owner/user discovery (T1033). Missing integrity checks make messages malleable, facilitating adversary-in-the-middle (T1557) and transmitted data manipulation (T1565.002). Injection of custom messages with arbitrary GID/Callsign enables masquerading account names (T1036.010).

Affected Assets

gotenna
mesh firmware
0.25.5
gotenna
gotenna
5.5.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-353

Irrefutable evidence of actions requires integrity protection to prevent tampering or alteration of records.

addresses: CWE-353

Implements required signature-based integrity verification, addressing missing support for integrity checks on components.

addresses: CWE-353

Requiring control over the integrity of all changes directly compels developers to implement integrity verification mechanisms rather than omitting them.

addresses: CWE-353

Tamper detection fundamentally depends on integrity-checking capabilities that this control mandates or strengthens.

addresses: CWE-353

Explicitly requires support for integrity and authenticity checks on components before acceptance into the system.

addresses: CWE-353

Supplies the integrity-check artifacts (e.g., RRSIG, DNSKEY) that were previously missing for DNS responses.

addresses: CWE-353

Control explicitly adds support for integrity mechanisms such as checksums during preparation, preventing attacks that rely on missing integrity checks.

addresses: CWE-353

Directly supplies the missing integrity verification mechanism the weakness describes.

References