PatchSiren cyber security CVE debrief
CVE-2024-47130 goTenna CVE debrief
A critical vulnerability in the goTenna Pro App allows unauthenticated attackers to remotely update local public keys used for peer-to-peer and group messaging, potentially enabling message interception or impersonation. The issue affects goTenna Pro App versions 1.6.1 and earlier. CISA published this advisory on September 26, 2024, with an update on October 17, 2024 that revised the vulnerability overview, affected products, and mitigations sections. The vulnerability carries a CVSS 3.1 score of 9.6 (Critical), with attack vector adjacent, low attack complexity, no privileges required, and no user interaction needed. The scope is changed with high impact to confidentiality, integrity, and availability. goTenna has released patched versions 2.0.3 or greater for both Android and iOS platforms.
- Vendor
- goTenna
- Product
- Pro
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro X and Pro X2 devices for tactical or emergency communications, including public safety agencies, military units, and industrial field operations teams relying on encrypted mesh networking. Security teams responsible for mobile device management and operational technology communications infrastructure should prioritize patching.
Technical summary
The goTenna Pro App fails to authenticate key update operations, allowing adjacent network attackers to remotely modify local public keys used for P2P and group message encryption without credentials. This authentication bypass enables potential man-in-the-middle attacks, message interception, or sender impersonation. The vulnerability affects versions 1.6.1 and earlier. Attack complexity is low, requiring no privileges or user interaction, with scope change allowing impact across security boundaries. Remediation requires updating to version 2.0.3 or greater and implementing operational security practices for key management.
Defensive priority
critical
Recommended defensive actions
- Update goTenna Pro App to version 2.0.3 or greater immediately for both Android and iOS platforms
- Use discreet callsigns and key names that do not disclose location, team size, or team composition
- Implement strong security measures on all end-user devices including encryption and regular software updates
- Rotate encryption keys regularly according to industry best practices
- Exchange encryption keys via QR code rather than over-the-air transmission when possible
- When broadcasting keys is necessary, do so only in secured areas at reduced power (0.5 Watts)
- Implement layered encryption keys for secure individual and team communications
- Contact goTenna Pro support at [email protected] for additional assistance
Evidence notes
Vulnerability description and affected product versions derived from CISA CSAF advisory ICSA-24-270-04. CVSS vector and score confirmed from source. Remediation guidance extracted from vendor-provided mitigations in the same advisory. Timeline dates reflect CVE publication (2024-09-26) and modification (2024-10-17) per official records.
Official resources
-
CVE-2024-47130 CVE record
CVE.org
-
CVE-2024-47130 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public