CVE-2025-61482
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-30

Assigner: MITRE

Description
Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61482
EUVD
EUVD-2025-36185
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netknights privacyidea_authenticator 4.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in privacyIDEA Authenticator v4.3.0 on Android allows local attackers with root access to hook into the app's cryptographic functions at runtime and intercept decryption operations. By doing so, they can recover plaintext OTP/TOTP/HOTP secret seeds stored in memory buffers. With these secrets, attackers can generate valid one-time passwords for enrolled accounts, effectively bypassing two-factor authentication. The attack requires root privileges and use of instrumentation tools like Frida, and it can be performed without user interaction even when the app is not actively displaying secrets. [1]

Impact Analysis

If your device is rooted and compromised, an attacker can extract your OTP secrets from the privacyIDEA Authenticator app, allowing them to generate valid one-time passwords and bypass two-factor authentication protections on your accounts. This can lead to account takeover, compromising the confidentiality and integrity of your accounts protected by this app. [1]

Detection Guidance

This vulnerability can be detected on rooted Android devices by using runtime instrumentation tools such as Frida to attach to the privacyIDEA Authenticator app process (it.netknights.piauthenticator) and hooking into its cryptographic functions to intercept decryption operations. A practical approach involves running Frida scripts that hook cipher functions to dump plaintext OTP secrets from memory buffers. For example, using Frida with a script similar to the tracer-cipher.js from the android-keystore-audit repository can help detect such activity. Commands would include installing Frida, connecting to the device, and running a script to trace cryptographic operations on the app process. [1, 2]

Mitigation Strategies

Immediate mitigation steps include treating rooted devices as untrusted and enforcing device integrity checks such as Mobile Device Management (MDM) solutions or Google's Play Integrity API to prevent usage on compromised devices. Additionally, using hardware-backed or external tokens to store OTP secrets can minimize exposure of plaintext secrets. Since no fixed version was available at the time of analysis, avoiding use of privacyIDEA Authenticator on rooted devices or restricting root access is recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart