#VU107599 Improper Authentication in KDE.org products - CVE-2025-32898

Cybersecurity Help s.r.o.

Published: 2025-04-18

Vulnerability identifier: #VU107599

Vulnerability risk: Medium

CVSSv4.0: 6.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-32898

CWE-ID: CWE-287

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
KDE Connect
Client/Desktop applications / Software for system administration
KDE Connect Android
Mobile applications / Apps for mobile phones
KDE Connect iOS
Mobile applications / Apps for mobile phones

Vendor: KDE.org

Description

The vulnerability allows an attacker to bypass authentication process.

The vulnerability exists due to usage of a weak authentication mechanism when pairing devices. KDE Connect displays an 8-character-long verification code when pairing two devices that is generated from the devices public keys. An attacker with physical proximity to device can brute-force the a key pair such that the resulting verification code matches the one of another device they try to impersonate.

Note, this attack can be launched remotely if an attacker has a presence in the victim's network through a compromised system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

KDE Connect: 0.1 - 25.03.90

KDE Connect Android: 0.1 - 1.32.11

KDE Connect iOS: 0.3.0 - 0.4.2

External links
https://kde.org/info/security/advisory-20250418-3.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in KDE Connect apps