CVE-2025-5715
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Signal App 7.41.4 on Android. It has been declared as problematic. This vulnerability affects unknown code of the component Biometric Authentication Handler. The manipulation leads to missing critical step in authentication. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signal signal 7.41.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-304 The product implements an authentication technique, but it skips a step that weakens the technique.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-5715 is an improper authentication vulnerability in Signal App 7.41.4 on Android. The issue occurs because Signal does not enforce re-authentication after biometric credentials on the device are modified, such as when a new fingerprint is added. An attacker with temporary physical access and knowledge of the device's PIN or password can add their own biometric data and then unlock the Signal app using their biometric without needing to re-enter the Signal PIN or password. This flaw allows unauthorized access to the app by bypassing critical authentication steps. [1, 2]


How can this vulnerability impact me? :

This vulnerability can compromise the confidentiality and integrity of your messages within the Signal app. An attacker with temporary physical access and knowledge of your device PIN or password can enroll their biometric data and access your Signal messages without your consent or knowledge. This unauthorized access can lead to exposure of private communications and potential misuse of your account data. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to improper biometric authentication handling on the Signal Android app version 7.41.4 and requires physical access to the device. Detection involves verifying if the device allows biometric enrollment changes without invalidating existing biometric trust in Signal. There are no specific network detection commands or automated detection tools mentioned. Manual inspection on the device would include checking if new biometric credentials can be added without triggering re-authentication in Signal. No specific commands are provided in the available resources. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of Signal App version 7.41.4 on Android devices until a patch is released. Users should consider alternative secure messaging applications to avoid this risk. Additionally, restrict physical access to devices and avoid allowing untrusted parties to enroll biometric credentials. Since no patch or vendor response is available, these are the recommended precautions. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart