CVE-2025-32898
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: MITRE

Description
The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-32898
EUVD
EUVD-2025-201337
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kde kde_connect *
valent valent 1.0.0.alpha.47
gsconnect gsconnect 59
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the KDE Connect verification-code protocol, which uses only 8 characters for verification codes before version 2025-04-18. Because the code length is short, it allows attackers to perform brute-force attacks to guess the verification code.

Impact Analysis

An attacker could exploit this vulnerability by brute-forcing the verification code, potentially gaining unauthorized access or control over the affected KDE Connect applications on Android, desktop, iOS, Valent, or GSConnect before the specified versions.

Mitigation Strategies

To mitigate this vulnerability, update KDE Connect and related affected software to versions that fix the issue: KDE Connect to version 1.33.0 or later on Android, 25.04 or later on desktop, and 0.5 or later on iOS; Valent to version 1.0.0.alpha.47 or later; and GSConnect to version 59 or later.

Detection Guidance

You can detect if your KDE Connect installation is vulnerable by checking the encryption protocol version used. On the desktop, run the command "kdeconnect-cli --encryption-info" to verify if the device uses the secure protocol version 8 that includes a time-based component in the verification code. On Android, you can check the "Encryption Info" section in the KDE Connect app. If the device uses the older static 8-character verification code, it is vulnerable to brute-force attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-32898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart