CVE-2025-32898
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-32898, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: MITRE

Description

The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-07-06
AI Q&A
2025-12-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
kde kde_connect *
valent valent 1.0.0.alpha.47
gsconnect gsconnect 59

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the KDE Connect verification-code protocol, which uses only 8 characters for verification codes before version 2025-04-18. Because the code length is short, it allows attackers to perform brute-force attacks to guess the verification code.

Impact Analysis

An attacker could exploit this vulnerability by brute-forcing the verification code, potentially gaining unauthorized access or control over the affected KDE Connect applications on Android, desktop, iOS, Valent, or GSConnect before the specified versions.

Mitigation Strategies

To mitigate this vulnerability, update KDE Connect and related affected software to versions that fix the issue: KDE Connect to version 1.33.0 or later on Android, 25.04 or later on desktop, and 0.5 or later on iOS; Valent to version 1.0.0.alpha.47 or later; and GSConnect to version 59 or later.

Detection Guidance

You can detect if your KDE Connect installation is vulnerable by checking the encryption protocol version used. On the desktop, run the command "kdeconnect-cli --encryption-info" to verify if the device uses the secure protocol version 8 that includes a time-based component in the verification code. On Android, you can check the "Encryption Info" section in the KDE Connect app. If the device uses the older static 8-character verification code, it is vulnerable to brute-force attacks. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-32898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart