CVE-2025-32900
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kde | kde_connect | 25.04 |
| valent | valent | 1.0.0.alpha.47 |
| kde | kde_connect | 0.5 |
| gsconnect | gsconnect | 59 |
| kde | kde_connect | 1.33.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-348 | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in KDE Connect and related software allows an attacker to craft a packet that temporarily changes the displayed information about a device. It occurs because the protocol uses broadcast UDP, which can be exploited to send misleading information to devices running affected versions.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can cause devices to display incorrect information temporarily. This could lead to confusion or misidentification of devices but does not result in data loss or system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to impersonate devices by sending crafted unauthenticated UDP packets, causing temporary display of incorrect device information. This could lead to user confusion and potentially pairing with the wrong device. While the advisory recommends avoiding use on untrusted networks and updating to versions using TLS to mitigate the issue, there is no direct information provided about impacts on compliance with standards like GDPR or HIPAA. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect if KDE Connect is using the vulnerable unauthenticated UDP broadcast protocol by checking the encryption status. On desktop systems, use the command line tool: "kdeconnect-cli --encryption-info" to verify if the secure protocol version 8 (which uses TLS) is in use. On Android devices, check the encryption info via the device overflow menu. If the connection is not encrypted, the system is vulnerable to this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of KDE Connect on untrusted networks such as airports or conferences to prevent attackers from sending crafted UDP packets. The recommended solution is to update KDE Connect to versions that use encrypted communication over TLS (Android 1.33.0 or later, desktop 25.04 or later, iOS 0.5 or later). For other affected implementations like Valent and GSConnect, update to versions with the known fixes (Valent 1.0.0.alpha.47 and GSConnect 59). [1]