Vulnerabilities in the European mobile radio standard Terrestrial Trunked Radio protocol leveraged by critical infrastructure organizations could be exploited to enable brute-force intrusions and encrypted traffic decryption, reports The Hacker News.
Included in the discovered flaws were the TETRA end-to-end encrypted voice stream issue, tracked as CVE-2025-52940, and the TETRA end-to-end encryption algorithm ID bug, tracked as CVE-2025-52941, which could facilitate replay and brute-force attacks, respectively, according to a study by Midnight Blue researchers presented at the Black Hat USA 2025 security conference. Arbitrary message replay could be permitted by the exploitation of the end-to-end encrypted TETRA SDS messages vulnerability, tracked as CVE-2025-52942, while traffic decryption and arbitrary message injections could be conducted through the abuse of CVE-2025-52943 and CVE-2025-52944, respectively, said researchers, who also noted an insufficient fix for the CVE-2022-24401 flaw. "Downlink traffic injection is typically feasible using plaintext traffic, as we found radios will accept and process unencrypted downlink traffic even on encrypted networks. For uplink traffic injection, the keystream needs to be recovered," researchers added.
Included in the discovered flaws were the TETRA end-to-end encrypted voice stream issue, tracked as CVE-2025-52940, and the TETRA end-to-end encryption algorithm ID bug, tracked as CVE-2025-52941, which could facilitate replay and brute-force attacks, respectively, according to a study by Midnight Blue researchers presented at the Black Hat USA 2025 security conference. Arbitrary message replay could be permitted by the exploitation of the end-to-end encrypted TETRA SDS messages vulnerability, tracked as CVE-2025-52942, while traffic decryption and arbitrary message injections could be conducted through the abuse of CVE-2025-52943 and CVE-2025-52944, respectively, said researchers, who also noted an insufficient fix for the CVE-2022-24401 flaw. "Downlink traffic injection is typically feasible using plaintext traffic, as we found radios will accept and process unencrypted downlink traffic even on encrypted networks. For uplink traffic injection, the keystream needs to be recovered," researchers added.
