CVE-2025-13476 identifies a critical cryptographic vulnerability in Rakuten Viber Cloak mode, specifically in Android version 25.7.2.0g and Windows versions 25.6.0.0 through 25.8.1.0. The vulnerability arises from the use of a static and predictable TLS ClientHello fingerprint that lacks extension diversity. TLS ClientHello messages are part of the handshake process in establishing secure connections, and their fingerprint uniqueness is crucial for evading detection by network monitoring tools. In this case, the static fingerprint allows Deep Packet Inspection (DPI) systems to trivially recognize and block proxy traffic generated by Viber Cloak, which is designed to help users circumvent censorship. This flaw is categorized under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-693 (Protection Mechanism Failure), indicating fundamental weaknesses in cryptographic design and implementation. The vulnerability has a CVSS v3.1 score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. While no active exploits have been reported, the predictable TLS fingerprint significantly undermines the effectiveness of Viber Cloak as a censorship circumvention tool, potentially exposing users to blocking and surveillance. The vulnerability was published on March 5, 2026, and no official patches have been linked yet, emphasizing the urgency for remediation.

The vulnerability severely impacts users relying on Rakuten Viber Cloak mode for privacy and censorship circumvention. By enabling DPI systems to easily identify and block proxy traffic, it compromises confidentiality by exposing users' attempts to bypass network restrictions, potentially leading to surveillance or punitive actions in restrictive regimes. Integrity and availability are also affected because the blocking of proxy traffic disrupts communication channels, denying users access to censored content or secure messaging. Organizations using Viber Cloak to maintain secure communications may face operational disruptions and data exposure risks. The flaw undermines trust in the product's security guarantees and may force users to seek alternative tools, impacting Rakuten Viber's reputation. Given the critical CVSS score and the nature of the vulnerability, the threat could have widespread consequences in countries with aggressive internet censorship, affecting millions of users and organizations that depend on secure, uncensored communication.

1. Immediate mitigation requires users and organizations to monitor Rakuten Viber's official channels for patches addressing this vulnerability and apply updates promptly once available. 2. Until patches are released, users should consider disabling Viber Cloak mode to avoid detection and blocking by DPI systems. 3. Employ alternative circumvention tools that implement randomized or diverse TLS ClientHello fingerprints to evade DPI detection effectively. 4. Network administrators should implement traffic analysis and anomaly detection to identify and alert on suspicious proxy traffic patterns that may be targeted by DPI. 5. Developers should redesign the TLS handshake implementation in Viber Cloak to incorporate extension diversity and fingerprint randomization, following best practices for cryptographic protocol design. 6. Conduct thorough security audits and penetration testing focusing on cryptographic components to prevent similar vulnerabilities. 7. Educate users in high-risk regions about the risks of using vulnerable versions and recommend safer communication alternatives.