CVE-2025-32884 is a medium-severity vulnerability affecting goTenna Mesh devices running app version 5.5.3 and firmware version 1.1.12. The core issue lies in the handling of the Group ID (GID), which by default is set to the user's phone number unless the user explicitly opts out. The GID is transmitted in messages without encryption, exposing sensitive personally identifiable information (PII). Since phone numbers can be directly linked to individuals, this lack of encryption constitutes a privacy risk. The vulnerability is categorized under CWE-319 (Cleartext Transmission of Sensitive Information), indicating that sensitive data is sent over the network in an unprotected manner. The CVSS v3.1 score is 4.3 (medium), reflecting that the vulnerability requires low attack complexity, no privileges, no user interaction, and can be exploited remotely (attack vector: adjacent network). The impact is limited to confidentiality loss; integrity and availability are unaffected. There are no known exploits in the wild, and no patches have been published yet. The device's design choice to use phone numbers as default GIDs without encryption exposes users to potential tracking, profiling, or targeted attacks by adversaries capable of intercepting mesh network communications. This vulnerability primarily affects the privacy of users rather than system functionality or availability.

For European organizations, especially those using goTenna Mesh devices for communication in sectors such as emergency services, outdoor activities, or decentralized communication networks, this vulnerability poses a privacy risk. The exposure of phone numbers can lead to identification and tracking of personnel or users, potentially compromising operational security and user anonymity. This could be particularly sensitive for NGOs, journalists, or activists relying on goTenna Mesh for secure communication in restrictive environments. While the vulnerability does not allow for system compromise or disruption, the leakage of phone numbers could facilitate targeted social engineering, surveillance, or harassment. Organizations handling sensitive communications or operating in privacy-conscious jurisdictions (e.g., under GDPR regulations) may face compliance issues if user data is exposed. The risk is heightened in environments where mesh network traffic can be intercepted by adversaries, such as public events or conflict zones.

1. Users should be strongly advised to opt out of using their phone number as the GID, selecting anonymous or randomized identifiers where possible to prevent direct linkage to personal information. 2. Organizations should configure devices and apps to disable default phone number usage for GIDs and enforce this policy through device management or user training. 3. Network traffic should be monitored for unencrypted transmissions of sensitive data; deploying mesh network traffic analysis tools can help detect leakage. 4. Until an official patch is released, consider restricting the deployment of goTenna Mesh devices to non-sensitive environments or supplementing their use with additional encryption layers at the application or network level. 5. Engage with the vendor or community to request timely firmware and app updates that encrypt GIDs in transit. 6. Implement operational security measures to limit the exposure of mesh network communications to adversaries, such as physical security controls and limiting device usage in high-risk areas. 7. Review and update privacy policies and user consent forms to reflect the potential exposure of phone numbers and ensure compliance with GDPR and other relevant regulations.