CVE-2025-32884

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. By default, a GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
4.3 MEDIUM
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AC:L/AV:A/A:N/C:L/I:N/PR:N/S:U/UI:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
VendorProductVersion
gotennamesh_firmware
1.1.12
gotennagotenna
5.5.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities
https://gotenna.com