CVE-2025-13476
Predictable TLS Fingerprint in Rakuten Viber Enables Traffic Blocking
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rakuten | viber | From 25.6.0 (inc) to 25.8.1.0 (inc) |
| rakuten | viber | 9.3.0.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-13476 is a vulnerability in the Rakuten Viber messaging app's Cloak mode on Android (v25.7.2.0g) and Windows (v25.6.0.0 through v25.8.1.0). Cloak mode is designed to hide the use of a proxy or VPN to improve user anonymity. However, the TLS handshake in this mode uses a static and predictable ClientHello fingerprint that lacks extension diversity."}, {'type': 'paragraph', 'content': "Because of this predictable fingerprint, Deep Packet Inspection (DPI) systems can easily identify and block Viber's proxy traffic. This defeats the purpose of Cloak mode by exposing proxy usage, which can lead to censorship circumvention being undermined."}] [1]
How can this vulnerability impact me? :
This vulnerability allows network operators or censors to detect and block Viber traffic that uses the Cloak proxy mode. As a result, users attempting to bypass censorship or maintain anonymity through proxy use may experience denial of service or inability to connect.
Additionally, users receive no indication that their proxy use is exposed, which may lead to a false sense of security regarding their privacy and anonymity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the static and predictable TLS ClientHello fingerprint used by Rakuten Viber Cloak mode in affected versions. Deep Packet Inspection (DPI) systems can trivially detect this fingerprint due to its lack of extension diversity.'}, {'type': 'paragraph', 'content': 'To detect this on your network, you would monitor TLS handshakes and look for the specific ClientHello fingerprint that matches the vulnerable Viber Cloak mode traffic.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, typical detection methods could include using packet capture tools like Wireshark or tcpdump to capture TLS handshakes and then analyzing the ClientHello messages for the static fingerprint pattern.'}, {'type': 'list_item', 'content': "Use tcpdump to capture TLS traffic: tcpdump -i <interface> 'tcp port 443' -w capture.pcap"}, {'type': 'list_item', 'content': "Open the capture in Wireshark and filter for 'tls.handshake.type == 1' to view ClientHello messages."}, {'type': 'list_item', 'content': 'Analyze the ClientHello extensions and fingerprint for lack of diversity or static patterns indicative of the vulnerable Viber Cloak mode.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade the Rakuten Viber application to fixed versions where the vulnerability is resolved.
- For Android users, upgrade to version 27.2.0.0g or later.
- For Windows users, upgrade to version 27.3.0.0 or later.
- Windows users are also advised to enable automatic updates to ensure timely application of future fixes.