CVE-2025-32900
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: MITRE

Description
In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-32900
EUVD
EUVD-2025-201362
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
kde kde_connect 25.04
valent valent 1.0.0.alpha.47
kde kde_connect 0.5
gsconnect gsconnect 59
kde kde_connect 1.33.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in KDE Connect and related software allows an attacker to craft a packet that temporarily changes the displayed information about a device. It occurs because the protocol uses broadcast UDP, which can be exploited to send misleading information to devices running affected versions.

Impact Analysis

The impact of this vulnerability is that an attacker can cause devices to display incorrect information temporarily. This could lead to confusion or misidentification of devices but does not result in data loss or system compromise.

Compliance Impact

The vulnerability allows an attacker to impersonate devices by sending crafted unauthenticated UDP packets, causing temporary display of incorrect device information. This could lead to user confusion and potentially pairing with the wrong device. While the advisory recommends avoiding use on untrusted networks and updating to versions using TLS to mitigate the issue, there is no direct information provided about impacts on compliance with standards like GDPR or HIPAA. [1]

Detection Guidance

You can detect if KDE Connect is using the vulnerable unauthenticated UDP broadcast protocol by checking the encryption status. On desktop systems, use the command line tool: "kdeconnect-cli --encryption-info" to verify if the secure protocol version 8 (which uses TLS) is in use. On Android devices, check the encryption info via the device overflow menu. If the connection is not encrypted, the system is vulnerable to this issue. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of KDE Connect on untrusted networks such as airports or conferences to prevent attackers from sending crafted UDP packets. The recommended solution is to update KDE Connect to versions that use encrypted communication over TLS (Android 1.33.0 or later, desktop 25.04 or later, iOS 0.5 or later). For other affected implementations like Valent and GSConnect, update to versions with the known fixes (Valent 1.0.0.alpha.47 and GSConnect 59). [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-32900. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart