CVE-2025-32886 is a medium-severity vulnerability identified in goTenna v1 devices running app version 5.5.3 and firmware version 0.25.5. goTenna devices are specialized communication tools that enable off-grid, peer-to-peer messaging by transmitting data over radio frequency (RF). The vulnerability arises because all packets sent over RF are simultaneously transmitted over the UART interface via a USB Shell. This design flaw allows an attacker with local physical access to the device's UART interface to intercept and analyze the data packets that are otherwise intended for RF transmission. Consequently, sensitive information about the communication protocol and potentially the data payload can be exposed. The vulnerability is classified under CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), indicating that the device fails to restrict data transmission to the intended communication channel, inadvertently leaking data through an unintended interface. Exploitation does not require authentication or user interaction but does require local physical access to the device's UART port. The CVSS 3.1 score is 4.0 (medium), reflecting limited impact on confidentiality (partial data exposure), no impact on integrity or availability, and low complexity of attack given local access. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability primarily affects environments where goTenna v1 devices are used and where attackers can gain physical proximity to the devices to connect to the UART interface.

For European organizations, the impact of this vulnerability depends largely on the deployment context of goTenna v1 devices. These devices are typically used for off-grid communication in remote or emergency scenarios, including outdoor activities, disaster response, and military or security operations. If European entities in sectors such as emergency services, defense, critical infrastructure, or outdoor expedition companies use these devices, the vulnerability could lead to unauthorized interception of sensitive communication data. This could compromise operational security by revealing communication protocols or message contents, potentially enabling adversaries to analyze or disrupt communication patterns. However, since exploitation requires physical access to the device, the risk is mitigated in controlled environments but remains significant in field deployments where devices may be left unattended or accessed by unauthorized personnel. The lack of impact on data integrity or availability means the threat is primarily one of confidentiality breach rather than disruption or data manipulation.

1. Physically secure goTenna devices to prevent unauthorized access to UART ports, especially in field or remote deployments. Use tamper-evident seals or enclosures to detect unauthorized access. 2. Restrict physical access to devices by implementing strict chain-of-custody procedures and personnel vetting in sensitive operations. 3. Monitor devices for unauthorized connections to USB or UART interfaces using hardware intrusion detection or periodic inspections. 4. If possible, disable or restrict UART interface access when not in use, or implement firmware-level controls to prevent data leakage over UART. 5. Advocate for and track vendor updates or patches addressing this vulnerability; apply firmware and app updates promptly once available. 6. Employ encryption at the application layer for sensitive messages transmitted via goTenna devices to ensure confidentiality even if packets are intercepted. 7. Train personnel on the risks of physical device access and the importance of securing communication hardware in the field.