CVE-2025-32881 is a medium-severity vulnerability affecting goTenna v1 devices running app version 5.5.3 and firmware version 0.25.5. The core issue lies in the handling of the Group ID (GID) within the device's communication protocol. By default, the GID is set to the user's phone number unless the user explicitly opts out. This design choice exposes sensitive personally identifiable information (PII), as phone numbers can be directly linked to individuals. Furthermore, the application does not encrypt the GID when transmitting messages, resulting in the phone number being sent in cleartext over the air. This vulnerability corresponds to CWE-319 (Cleartext Transmission of Sensitive Information), indicating that sensitive data is exposed during communication without adequate protection. The vulnerability does not require user interaction or authentication and can be exploited remotely, as the attack vector is over the network (AV:A - Adjacent Network). The attack complexity is low (AC:L), meaning an attacker with access to the same network segment can intercept messages and extract phone numbers. The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. There are no known exploits in the wild as of the publication date (May 1, 2025), and no patches have been released yet. The vulnerability primarily threatens user privacy by exposing phone numbers, which could be leveraged for targeted social engineering, tracking, or other privacy-invasive activities. Given the nature of goTenna devices, which are used for off-grid communication often in remote or emergency scenarios, the exposure of phone numbers could undermine user anonymity and operational security in sensitive environments.

For European organizations, especially those involved in emergency services, outdoor activities, or remote communications, this vulnerability poses a privacy risk by exposing users' phone numbers. The leakage of phone numbers can facilitate targeted phishing, social engineering attacks, or tracking of individuals. Organizations relying on goTenna devices for secure or private communications may find their operational security compromised. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach could lead to reputational damage, loss of trust, and potential regulatory scrutiny under GDPR due to inadequate protection of personal data. Additionally, sectors such as law enforcement, humanitarian aid, and critical infrastructure that use goTenna for communication in areas with limited connectivity could be at risk of adversaries identifying and targeting personnel based on intercepted phone numbers.

1. Users should be strongly advised to opt out of using their phone number as the GID within the goTenna app settings to prevent direct exposure of their phone numbers. 2. Organizations should consider disabling or restricting the use of goTenna v1 devices with app version 5.5.3 and firmware 0.25.5 until a patched version is available. 3. Employ network-level encryption or VPN tunnels when using goTenna devices to add an additional layer of confidentiality over the transmitted data. 4. Monitor network traffic for unencrypted transmissions of phone numbers and implement intrusion detection systems capable of flagging such cleartext leaks. 5. Educate users on the privacy implications of using phone numbers as identifiers and encourage the use of anonymized or randomized GIDs if the app supports it. 6. Engage with the vendor or community to prioritize the release of firmware and app updates that encrypt GIDs and remove default phone number usage. 7. For critical deployments, consider alternative communication devices or protocols that ensure encryption of all sensitive identifiers by default.