CVE-2025-66270
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: MITRE

Description
The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66270
EUVD
EUVD-2025-201386
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
kde kde_connect 25.04
gsconnect gsconnect 68
valent valent 1.0.0.alpha.49
kde kde_connect 0.5.4
kde kde_connect 1.34.4
valent valent 1.0.0.alpha.47
kde kde_connect 0.5.2
gsconnect gsconnect 59
kde kde_connect 25.12
kde kde_connect 1.33.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in KDE Connect protocol versions before 2025-11-28 involves the failure to correlate device IDs across two packets. This means that the protocol does not properly link or verify device identities between separate communications, potentially leading to issues in device authentication or session management.

Impact Analysis

The vulnerability can impact users by allowing potential confusion or misassociation between devices communicating via KDE Connect. This could lead to unauthorized access or information leakage between devices, as the protocol does not reliably verify that packets come from the same device, potentially compromising confidentiality and integrity.

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows an attacker to impersonate a paired device and bypass authentication, it could potentially lead to unauthorized access to personal or sensitive data, which may affect compliance with data protection regulations. No direct statements about compliance impact are given. [3]

Mitigation Strategies

Immediate mitigation steps include stopping the use of KDE Connect on untrusted networks such as airports or conferences, or unpairing all devices until the vulnerability is patched. The ultimate solution is to update KDE Connect and related software (GSConnect, Valent, Android, iOS versions) to the fixed versions that include the patches addressing this vulnerability. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart