Multiple vulnerabilities in KDE Connect apps
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2025-32899 CVE-2025-32901 CVE-2025-32900 CVE-2025-32898 |
| CWE-ID | CWE-20 CWE-345 CWE-287 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
KDE Connect Android Mobile applications / Apps for mobile phones KDE Connect iOS Mobile applications / Apps for mobile phones KDE Connect Client/Desktop applications / Software for system administration |
| Vendor | KDE.org |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU107602
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-32899
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the way the application handles broadcast UDP packets. When receiving an invalid discovery UDP packet the application tries unpairing the device that sent the packet. A remote attacker can send malformed UDP packets and disrupt network connectivity.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKDE Connect Android: 0.1 - 1.32.11
CPE2.3- cpe:2.3:a:kde_org:kde_connect_android:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.4:*:*:*:*:*:*:*
https://kde.org/info/security/advisory-20250418-1.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU107601
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-32901
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling UDP broadcasts. A remote attacker on the local network can send a specially crafted UDP broadcast packet and crash the application.
Install updates from vendor's website.
Vulnerable software versionsKDE Connect Android: 0.1 - 1.32.11
CPE2.3- cpe:2.3:a:kde_org:kde_connect_android:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.4:*:*:*:*:*:*:*
https://kde.org/info/security/advisory-20250418-4.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient verification of data authenticity
EUVDB-ID: #VU107600
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-32900
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to impersonate other devices on the network.
The vulnerability exists due to the way KDE Connect handles broadcasts and discovers devices inside the network. A remote attacker on the local network can send broadcast UDP packets that contain display name of another system and perform spoofing attack.
Install updates from vendor's website.
Vulnerable software versionsKDE Connect: 0.1 - 25.03.90
KDE Connect Android: 0.1 - 1.32.11
KDE Connect iOS: 0.3.0 - 0.4.2
CPE2.3- cpe:2.3:a:kde_org:kdeconnect-kde:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kdeconnect-kde:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kdeconnect-kde:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.4.0:*:*:*:*:*:*:*
https://kde.org/info/security/advisory-20250418-2.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Authentication
EUVDB-ID: #VU107599
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-32898
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due to usage of a weak authentication mechanism when pairing devices. KDE Connect displays an 8-character-long verification code when pairing two devices that is generated from the devices public keys. An attacker with physical proximity to device can brute-force the a key pair such that the resulting verification code matches the one of another device they try to impersonate.
Note, this attack can be launched remotely if an attacker has a presence in the victim's network through a compromised system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKDE Connect: 0.1 - 25.03.90
KDE Connect Android: 0.1 - 1.32.11
KDE Connect iOS: 0.3.0 - 0.4.2
CPE2.3- cpe:2.3:a:kde_org:kdeconnect-kde:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kdeconnect-kde:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kdeconnect-kde:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_android:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde_org:kde_connect_ios:0.4.0:*:*:*:*:*:*:*
https://kde.org/info/security/advisory-20250418-3.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
