{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-32899", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-12-05T14:34:45.440Z", "dateReserved": "2025-04-14T00:00:00.000Z", "datePublished": "2025-12-05T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "KDEConnect", "vendor": "KDE", "versions": [{"lessThan": "1.33.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1250", "description": "CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-05T04:45:51.898Z"}, "references": [{"url": "https://kdeconnect.kde.org"}, {"url": "https://kde.org/info/security/advisory-20250418-1.txt"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kde:kdeconnect:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.0"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T14:34:37.226563Z", "id": "CVE-2025-32899", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:34:45.440Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32899", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T14:34:37.226563Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:34:42.362Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "KDE", "product": "KDEConnect", "versions": [{"status": "affected", "version": "0", "lessThan": "1.33.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://kdeconnect.kde.org"}, {"url": "https://kde.org/info/security/advisory-20250418-1.txt"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1250", "description": "CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kde:kdeconnect:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.33.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-05T04:45:51.898Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32899", "state": "PUBLISHED", "dateUpdated": "2025-12-05T14:34:45.440Z", "dateReserved": "2025-04-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-05T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP."}, {"lang": "es", "value": "En KDE Connect antes de 1.33.0 en Android, se puede manipular un paquete que causa que dos dispositivos emparejados se desemparejen. Espec\u00edficamente, es un paquete de descubrimiento inv\u00e1lido enviado a trav\u00e9s de UDP de difusi\u00f3n."}], "id": "CVE-2025-32899", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-12-05T05:16:59.407", "references": [{"source": "cve@mitre.org", "url": "https://kde.org/info/security/advisory-20250418-1.txt"}, {"source": "cve@mitre.org", "url": "https://kdeconnect.kde.org"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1250"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "kde-connect: KDE Connect: Unpairing of devices via invalid broadcast UDP packet", "id": "2419077", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419077"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1250", "details": ["In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.", "A flaw was found in KDE Connect. This vulnerability allows two paired devices to unpair via an invalid discovery packet sent over broadcast User Datagram Protocol (UDP)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to systems running KDE Connect. Configure firewall rules to limit UDP traffic on the KDE Connect discovery port (default 1716) to only allow communication from trusted hosts or subnets. This may impact the ability of KDE Connect to discover and pair with new devices if not configured correctly."}, "name": "CVE-2025-32899", "public_date": "2025-12-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-32899\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32899\nhttps://kde.org/info/security/advisory-20250418-1.txt\nhttps://kdeconnect.kde.org"], "statement": "This vulnerability is rated Moderate for Red Hat as it allows an unauthenticated attacker on the same local network segment to unpair KDE Connect devices. This flaw primarily impacts the availability of the KDE Connect service by disrupting established device pairings.", "threat_severity": "Moderate"}

{}