High severity7.2NVD Advisory· Published Oct 27, 2025· Updated Apr 15, 2026

CVE-2025-61482

Description

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts.

Affected products

ReversecLabs/Android Keystore Auditreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ReversecLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.jsnvd
svarthatt.se/cve/cve-2025-61482-pulling-otp-secrets-from-privacyidea-authenticator/nvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000