CVE-2025-32886
CVE-2025-32886 is a medium-severity vulnerability in Gotenna with a CVSS 3.x base score of 4.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-923.
Key facts
- Severity: Medium (CVSS 3.x base score 4.0)
- EPSS exploit prediction: 0% (3rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-13275
- Weakness: CWE-923
- Affected product: Gotenna
- Published:
- Last modified:
Description
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. All packets sent over RF are also sent over UART with USB Shell, allowing someone with local access to gain information about the protocol and intercept sensitive data.
Frequently asked questions
- What is CVE-2025-32886?
- An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. All packets sent over RF are also sent over UART with USB Shell, allowing someone with local access to gain information about the protocol and intercept sensitive data.
- How severe is CVE-2025-32886?
- CVE-2025-32886 has a CVSS 3.x base score of 4.0, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2025-32886 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-32886?
- CVE-2025-32886 primarily affects Gotenna. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-32886?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-32886 have an EU (EUVD) identifier?
- Yes. CVE-2025-32886 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-13275.
- When was CVE-2025-32886 published?
- CVE-2025-32886 was published on 2025-05-01 and last updated on 2026-06-17.
References
Affected products (2)
- cpe:2.3:o:gotenna:mesh_firmware:0.25.5:*:*:*:*:*:*:*
- cpe:2.3:a:gotenna:gotenna:5.5.3:*:*:*:*:-:*:*
More vulnerabilities in Gotenna
- CVE-2025-32889 — High (CVSS 7.3): An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for…
- CVE-2025-32888 — High (CVSS 7.3): An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for…
- CVE-2025-32887 — High (CVSS 7.1): An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. A command channel includes the next…
- CVE-2025-32885 — Medium (CVSS 6.5): An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to…
- CVE-2024-45723 — Medium (CVSS 6.5): The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. The…
- CVE-2024-41722 — Medium (CVSS 6.5): In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any…
Other CWE-923 vulnerabilities
- CVE-2019-17440 — Critical (CVSS 10.0): Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation…
- CVE-2024-41889 — Critical (CVSS 9.8): Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited,…
- CVE-2026-34205 — Critical (CVSS 9.6): Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps…
- CVE-2023-28078 — Critical (CVSS 9.1): Dell OS10 Networking Switches running 10.5.2.x and above contain a vulnerability with zeroMQ when VLT is configured. A…
- CVE-2025-61939 — High (CVSS 8.8): An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual…
- CVE-2025-20261 — High (CVSS 8.8): A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series,…