CVE-2025-32881

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. By default, the GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities	Third Party Advisory
https://gotenna.com	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:gotenna:mesh_firmware:0.25.5:*:*:*:*:*:*:*

cpe:2.3:h:gotenna:mesh:-:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:gotenna:gotenna:5.5.3:*:*:*:*:-:*:*

History

20 Jun 2025, 16:53

Type	Values Removed	Values Added
References	~~() https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities -~~	() https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities - Third Party Advisory
References	~~() https://gotenna.com -~~	() https://gotenna.com - Product
CPE		cpe:2.3:o:gotenna:mesh_firmware:0.25.5:::::::* cpe:2.3:h:gotenna:mesh:-:::::::* cpe:2.3:a:gotenna:gotenna:5.5.3:::::-::
First Time		Gotenna Gotenna mesh Gotenna gotenna Gotenna mesh Firmware

02 May 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) Se detectó un problema en dispositivos goTenna v1 con la aplicación 5.5.3 y el firmware 0.25.5. Por defecto, el GID es el número de teléfono del usuario, a menos que este lo desactive específicamente. Un número de teléfono es información muy sensible, ya que puede asociarse con personas. La aplicación no cifra el GID en los mensajes.

01 May 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-319

01 May 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-01 18:15

Updated : 2025-06-20 16:53

NVD link : CVE-2025-32881

Mitre link : CVE-2025-32881

CVE.ORG link : CVE-2025-32881

JSON object : View

Products Affected

gotenna

gotenna
mesh_firmware
mesh

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2025-32881", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-05-01T18:15:54.970", "references": [{"url": "https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gotenna.com", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. By default, the GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages."}, {"lang": "es", "value": "Se detect\u00f3 un problema en dispositivos goTenna v1 con la aplicaci\u00f3n 5.5.3 y el firmware 0.25.5. Por defecto, el GID es el n\u00famero de tel\u00e9fono del usuario, a menos que este lo desactive espec\u00edficamente. Un n\u00famero de tel\u00e9fono es informaci\u00f3n muy sensible, ya que puede asociarse con personas. La aplicaci\u00f3n no cifra el GID en los mensajes."}], "lastModified": "2025-06-20T16:53:44.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:gotenna:mesh_firmware:0.25.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92602326-09B2-46F8-ACB7-F977942C191D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:gotenna:mesh:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B188A17B-CCB4-438C-A370-5913AB3BB22A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gotenna:gotenna:5.5.3:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "63D278BB-4BE6-4020-9D7C-CB774101087A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}