Listen to this Post
How the CVE Works:
The vulnerability in goTenna v1 devices (app v5.5.3, firmware v0.25.5) stems from a hardcoded verification token used for SMS transmission via goTenna servers. Since the token is embedded in the app, attackers can extract it and impersonate legitimate devices, enabling unauthorized SMS sending, data interception, or server abuse. This bypasses authentication mechanisms, as the fixed token cannot be revoked or rotated without a firmware update.
DailyCVE Form:
Platform: goTenna v1
Version: 5.5.3 (app), 0.25.5 (firmware)
Vulnerability: Hardcoded token
Severity: Critical
Date: 06/20/2025
Prediction: Patch by 08/2025
What Undercode Say:
strings gotenna_app | grep "verification_token" adb pull /data/data/com.gotenna/app_token.key curl -X POST -H "Token: HARDCODED_KEY" https://api.gotenna.com/sms_send
How Exploit:
Extract token via reverse engineering, replay in API requests.
Protection from this CVE:
Update firmware, implement dynamic token generation.
Impact:
Unauthorized SMS, server misuse.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
