CVE-2025-61482 is a vulnerability identified in version 4.3.0 of the privacyIDEA Authenticator Android application developed by NetKnights GmbH. The vulnerability stems from improper handling of OTP (One-Time Password), TOTP (Time-based One-Time Password), and HOTP (HMAC-based One-Time Password) secrets within the app’s cryptographic routines. Specifically, local attackers who have obtained root access on the Android device can hook into the app’s cryptographic functions and intercept the decryption process of stored secrets. By recovering these plaintext secrets, attackers can generate valid one-time passwords for any enrolled account, effectively bypassing the two-factor authentication mechanism. The vulnerability is categorized under CWE-922 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), CWE-522 (Insufficiently Protected Credentials), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.2, reflecting high severity, with attack vector local (AV:L), attack complexity high (AC:H), privileges required high (PR:H), no user interaction (UI:N), scope changed (S:C), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). No patches or known exploits are currently reported. The vulnerability requires root privileges, which limits exploitation to scenarios where the attacker has already compromised the device at a high level. However, once exploited, it completely undermines the security guarantees of two-factor authentication by exposing the secret keys used to generate OTPs.

For European organizations, this vulnerability poses a significant risk to the security of accounts protected by privacyIDEA Authenticator on Android devices. Since the vulnerability allows attackers with root access to bypass two-factor authentication, it can lead to unauthorized access to sensitive systems and data, compromising confidentiality and integrity. Organizations in sectors with high security requirements, such as finance, healthcare, and government, could face severe consequences including data breaches, fraud, and regulatory penalties under GDPR. The requirement for root access means the threat is more relevant in environments where endpoint security is weak or where devices are susceptible to rooting or malware that escalates privileges. The inability to rely on 2FA in these cases undermines trust in authentication mechanisms and may necessitate additional compensating controls. Given the widespread use of Android devices in Europe and the adoption of privacyIDEA in enterprise environments, the impact could be substantial if exploited. However, the lack of known exploits in the wild and the high complexity of attack reduce immediate risk but do not eliminate the need for proactive mitigation.

European organizations should implement a layered approach to mitigate this vulnerability beyond generic advice. First, restrict and monitor root access on Android devices by enforcing strict mobile device management (MDM) policies that prevent rooting and detect jailbroken devices. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious hooking or cryptographic interception behaviors. Encourage users to update to newer versions of privacyIDEA Authenticator once patches are released; meanwhile, consider alternative 2FA solutions that do not expose secrets on rooted devices. Implement hardware-backed security modules (e.g., Android Keystore with StrongBox) to protect cryptographic keys from extraction, reducing the risk even if root access is obtained. Conduct regular security audits and penetration tests focusing on mobile device security posture. Educate users about the risks of rooting devices and the importance of maintaining device integrity. Finally, apply network-level controls such as conditional access policies that require device compliance checks before granting access to sensitive resources, limiting the impact of compromised endpoints.