CVE-2025-32888 identifies a security vulnerability in goTenna Mesh devices running app version 5.5.3 and firmware version 1.1.12. The core issue is the presence of a hardcoded verification token within the application, which is used to authenticate SMS messages sent through the goTenna server. This token is embedded directly in the app's code rather than being dynamically generated or securely stored, which constitutes a CWE-798 (Use of Hard-coded Credentials) weakness. Because the token is static and accessible, an attacker who obtains it can potentially send unauthorized SMS messages via the goTenna server, impersonating legitimate device communications. The vulnerability has a CVSS v3.1 base score of 7.3, indicating high severity. The vector details specify that the attack requires local access (AV:L), no privileges (PR:N), and no user interaction (UI:N), but the impact on availability is high (A:H), with limited confidentiality (C:L) and integrity (I:L) impacts. The scope remains unchanged (S:U). There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability was reserved in April 2025 and published in May 2025. The goTenna Mesh device is a specialized communication tool designed for off-grid, peer-to-peer messaging and location sharing, often used in outdoor, emergency, or tactical environments. The hardcoded token flaw could allow attackers to disrupt communications by sending spoofed or malicious SMS messages, potentially causing denial of service or misinformation within a mesh network reliant on these devices.

For European organizations, especially those involved in emergency services, outdoor expedition companies, defense contractors, or NGOs operating in remote areas, this vulnerability poses a significant risk. The goTenna Mesh devices are used to maintain communication where cellular or internet infrastructure is unavailable or unreliable. Exploitation could lead to unauthorized message injection, disrupting critical communication channels and potentially causing operational failures or safety hazards. The high impact on availability means that attackers could degrade or deny messaging services, which could be catastrophic in emergency response scenarios. The limited confidentiality and integrity impacts suggest that while data leakage or modification is less likely, the disruption of service alone is a critical concern. Additionally, organizations relying on these devices for secure off-grid communication may face increased risk of misinformation or spoofed messages, undermining trust in the communication network. Given the lack of patches, organizations must be vigilant in monitoring and controlling device usage and network access.

1. Immediate mitigation should focus on restricting physical and network access to goTenna Mesh devices to trusted personnel only, minimizing the risk of token extraction. 2. Employ network-level monitoring to detect anomalous SMS traffic patterns indicative of unauthorized message injection. 3. Where possible, isolate goTenna Mesh device communications from critical infrastructure networks to contain potential disruptions. 4. Implement compensating controls such as multi-factor verification for critical message acknowledgments outside the goTenna network to validate message authenticity. 5. Engage with the device vendor or community to seek firmware updates or patches addressing the hardcoded token issue; if unavailable, consider temporary operational workarounds such as disabling SMS sending features if feasible. 6. Train users and administrators on the risks associated with the vulnerability and establish incident response plans specific to communication disruptions. 7. For organizations deploying these devices in sensitive environments, consider alternative communication solutions until a secure fix is available.