CVE-2024-45374 MEDIUM

CVE-2024-45374: goTenna Pro ATAK Plugin Weak Password Requirements

Vendor Gotenna
Product Pro ATAK Plugin
Weakness CWE-521
Published September 26, 2024
Last update March 12, 2025

CVSS base score

5.3/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is advised to use local QR encryption key sharing for additional security on this and previous versions.

Key dates

02Disclosure timeline

September 26, 2024 CVE published
March 12, 2025 Record updated