Gotenna Security Vulnerabilities and Issues — Gotenna CVE List

Lucene search

GotennaGotenna

16 matches found

CVE•added 2024/09/26 6:15 p.m.•43 views

CVE-2024-45838

The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. Itis advised to not use sensitive information in callsigns when using thisand previous versions of the plugin. Update to current plugin versionwhich uses AES-256 encryption for callsigns in encrypted operation

4.3CVSS4.9AI score0.00015EPSS

CVE•added 2025/05/01 6:15 p.m.•41 views

CVE-2025-32886

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. All packets sent over RF are also sent over UART with USB Shell, allowing someone with local access to gain information about the protocol and intercept sensitive data.

5.5CVSS6.8AI score0.00018EPSS

CVE•added 2024/09/26 6:15 p.m.•40 views

CVE-2024-43108

The goTenna Pro ATAK Plugin uses AES CTR type encryption for short,encrypted messages without any additional integrity checking mechanisms.This leaves messages malleable to an attacker that can access themessage. It is advised to continue to use encryption in the plugin andupdate to the current rel...

6.5CVSS5.5AI score0.00011EPSS

CVE•added 2025/05/01 6:15 p.m.•40 views

CVE-2025-32890

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. It uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message.

6.5CVSS7.1AI score0.0001EPSS

CVE•added 2024/09/26 6:15 p.m.•38 views

CVE-2024-45374

The goTenna Pro ATAK plugin uses a weak password for sharing encryptionkeys via the key broadcast method. If the broadcasted encryption key iscaptured over RF, and password is cracked via brute force attack, it ispossible to decrypt it and use it to decrypt all future and pastmessages sent via encr...

6.5CVSS5.9AI score0.00023EPSS

CVE•added 2024/09/26 6:15 p.m.•38 views

CVE-2024-45723

The goTenna Pro ATAK Plugin does not use SecureRandom when generatingpasswords for sharing cryptographic keys. The random function in usemakes it easier for attackers to brute force this password if thebroadcasted encryption key is captured over RF. This only applies to theoptional broadcast of an ...

7.1CVSS6.5AI score0.00032EPSS

CVE•added 2025/05/01 6:15 p.m.•38 views

CVE-2025-32884

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. By default, a GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages.

6.5CVSS4.6AI score0.00015EPSS

CVE•added 2025/05/01 6:15 p.m.•38 views

CVE-2025-32889

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app.

8.8CVSS7.4AI score0.00028EPSS

CVE•added 2025/05/01 6:15 p.m.•37 views

CVE-2025-32881

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. By default, the GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages.

6.5CVSS6.7AI score0.00015EPSS

CVE•added 2025/05/01 6:15 p.m.•37 views

CVE-2025-32882

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app uses a custom implementation of encryption without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message.

6.5CVSS7.1AI score0.00008EPSS

CVE•added 2025/05/01 6:15 p.m.•36 views

CVE-2025-32887

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. A command channel includes the next hop. which can be intercepted and used to break frequency hopping.

7.1CVSS7.2AI score0.00017EPSS

CVE•added 2024/09/26 6:15 p.m.•35 views

CVE-2024-41931

The goTenna Pro ATAK Plugin encryption key name is always sentunencrypted when the key is sent over RF through a broadcast message. Itis advised to share the encryption key via local QR for higher securityoperations.

5.3CVSS4.8AI score0.00027EPSS

CVE•added 2024/09/26 6:15 p.m.•35 views

CVE-2024-43814

The goTenna Pro ATAK Plugin's default settings are to share AutomaticPosition, Location, and Information (PLI) updates every 60 seconds oncethe plugin is active and goTenna is connected. Users that are unaware oftheir settings and have not activated encryption before a mission mayaccidentally broad...

5.3CVSS4.9AI score0.00027EPSS

CVE•added 2025/05/01 6:15 p.m.•35 views

CVE-2025-32885

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted envi...

6.5CVSS6.9AI score0.0005EPSS

CVE•added 2025/05/01 6:15 p.m.•35 views

CVE-2025-32888

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app.

8.8CVSS7.3AI score0.00028EPSS

CVE•added 2024/09/26 6:15 p.m.•34 views

CVE-2024-41722

In the goTenna Pro ATAK Plugin there is a vulnerability that makes itpossible to inject any custom message with any GID and Callsign using asoftware defined radio in existing goTenna mesh networks. Thisvulnerability can be exploited if the device is being used in anunencrypted environment or if the...

6.5CVSS6.4AI score0.00029EPSS