CVE-2024-43694

goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information

CVSS 5.1 MEDIUMEPSS 0.1%CWE-922

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.1EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Sep 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

goTenna · Pro ATAK Plugin

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05