CVE-2025-32885 is a medium-severity vulnerability affecting goTenna v1 devices running app version 5.5.3 and firmware version 0.25.5. The vulnerability allows an attacker to inject arbitrary custom messages into existing goTenna v1 networks by leveraging a software-defined radio (SDR). Specifically, the attacker can spoof any Group ID (GID) and Callsign, effectively impersonating legitimate network participants or injecting misleading information. This attack vector is feasible in scenarios where the goTenna network is operating in an unencrypted environment or if the cryptographic protections have already been compromised. The vulnerability does not require authentication or user interaction and can be exploited remotely given radio access to the network frequency. The CVSS 3.1 base score is 6.5, reflecting a medium severity due to high impact on confidentiality but no impact on integrity or availability. The attack complexity is low, requiring only access to radio frequencies and SDR equipment, which are increasingly accessible. The scope is limited to goTenna v1 networks using the specified app and firmware versions. No patches or vendor mitigations are currently available, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-1390, which relates to weaknesses in cryptographic protocols or implementations that allow message injection or spoofing.

For European organizations using goTenna v1 devices, particularly in sectors relying on secure off-grid communication such as emergency services, outdoor expedition teams, or critical infrastructure monitoring, this vulnerability poses a significant confidentiality risk. An attacker could inject false messages, causing misinformation or unauthorized data disclosure within the network. Although the integrity and availability of the network are not directly compromised, the ability to spoof messages undermines trust in the communication channel and could lead to operational disruptions or misinformed decision-making. The risk is heightened in unencrypted deployments or where cryptographic keys have been compromised. Given the increasing use of goTenna devices for decentralized communication in remote or sensitive environments, European organizations could face targeted misinformation campaigns or espionage attempts exploiting this vulnerability. However, the impact is somewhat limited by the niche usage of goTenna v1 devices and the requirement for radio proximity to the target network.

To mitigate this vulnerability, European organizations should first assess their deployment of goTenna v1 devices and identify any running the vulnerable app and firmware versions. Immediate steps include transitioning to encrypted communication modes if available, as encryption prevents unauthorized message injection. If encryption is not currently enabled or feasible, organizations should restrict physical and radio access to the network frequencies used by goTenna devices, employing radio frequency monitoring and intrusion detection systems to detect anomalous transmissions. Additionally, organizations should consider upgrading to newer goTenna hardware or firmware versions that address this vulnerability once available. Implementing operational procedures to verify message authenticity through out-of-band channels can also reduce the risk of acting on spoofed messages. Finally, maintaining situational awareness of SDR threats and training personnel on recognizing suspicious network behavior will enhance resilience against exploitation.