Cybersecurity researchers have found new safety points with the Terrestrial Trunk Radio (TETRA) communications protocol, together with a novel end-to-end encryption (E2EE) mechanism that exposes the system to regenerate and brute-force assaults, and even decrypt encrypted visitors.
Vulnerability Particulars – Dubbed 2TETRA: 2 bursts – Offered final week on the Black Hat USA Safety Convention by Midnight Blue researchers Carlo Meijer, Wouter Bokslag and Jos Wetzels.
Tetra is a European cellular radio commonplace extensively utilized in legislation enforcement, navy, transportation, utilities, and significant infrastructure operators. Developed by the European Institute for Communications Requirements (ETSI). It contains 4 encryption algorithms: TEA1, TEA2, TEA3 and TEA4.
The disclosure comes greater than two years after a Dutch-based cybersecurity firm discovers a safety vulnerability in Tetra Customary referred to as Tetra: Burst, and counts what is called “intentional backdoors” that might be exploited in leaky info.
The newly found downside pertains to circumstances of packet injection in Tetra and to an insufficient repair of one in every of 5 Tetras, CVE-2022-24401. The recognized points are listed under –
- CVE-2025-52940 – Tetra-end-to-end encrypted audio streams are susceptible to replay assaults. Moreover, an attacker with out key data could inject any audio stream that’s much less urgent than real visitors by legit name recipients.
- CVE-2025-52941 -TETRA Finish-to-Finish Cryptography Algorithm ID 135 refers to a intentionally weakened AES-128 implementation with efficient visitors key entropy decreased from 128 bit to 56 bits, making it susceptible to brute pressure assaults.
- CVE-2025-52942 – Finish-to-end encrypted Tetra SDS messages haven’t any replay safety and permit any replay of messages to people or machines.
- CVE-2025-52943 – TETRA networks that assist a number of AIR interface encryption algorithms are susceptible to key restoration assaults, as SCK/CCK community keys are the identical for all supported algorithms. As soon as TEA1 is supported, you may decrypt or inject TEA2 or TEA3 visitors into your community utilizing the simply reclaimed TEA1 key (CVE-2022-24402).
- CVE-2025-52944 -TETRA protocol doesn’t have message authentication, subsequently it might probably inject any message, similar to voice or information.
- ETSI’s CVE-2022-24401 repair has no impact on stopping keystream restoration assaults (no CVE, assigned placeholder identifier MBPH-2025-001))
Midnight Blue states that the affect of 2TETRA is: Two bursts depend on every case and configuration facet of a selected Tetra community, and networks utilizing TETRA with information carry capability are notably inclined to packet injection assaults, permitting attackers to intercept radio communications and inject malicious information visitors.
“A voice replay or injection state of affairs (CVE-2025-52940) could cause confusion amongst legit customers. This can be utilized as amplification for large-scale assaults,” the corporate says. “TETRA E2EE customers (and those that do not use Sepura Embedded E2EE both) ought to confirm that they’re utilizing a weakened 56-bit variant (CVE-2025-52941) anyway.”
“Downlink visitors injection is often potential utilizing plain textual content visitors, as we discovered that radios settle for and deal with unencrypted downlink visitors even in encrypted networks. To uplink visitors injection, we have to recuperate the keystream.”
https://www.youtube.com/watch?v=etmn23izabw
There isn’t any proof that these vulnerabilities are being exploited within the wild. That mentioned, apart from MBPH-2025-001, there aren’t any patches that deal with the drawbacks.
Different defect mitigations are listed under –
- CVE-2025-52940, CVE-2025-52942 – Go to a scrutinized, safe E2EE answer
- CVE-2025-52941 -Transfer to Weakened E2EE variant
- CVE-2025-52943 -Disable Tea1 assist and rotate all AIE keys
- CVE-2025-52944 – When utilizing Tetra with information carrying capability: Add a TLS/VPN layer above Tetra
“When working or utilizing a TETRA community, you can be certain to be affected by CVE-2025-52944. This exhibits that malicious visitors might be injected into the Tetra community even with authentication and/or encryption enabled.”
“Additionally, CVE-2022-24401 will doubtless have an effect on you because it permits enemies to gather keystreams for violations of confidentiality or integrity. If you function a multi-siffer community, CVE-2025-52943 poses a critical safety danger.”
In an announcement shared with wired, ETSI mentioned the E2EE mechanism utilized in Tetra-based RADIOS isn’t a part of the ETSI commonplace, including that it was generated by the Important Communications Affiliation (TCCA) Safety and Fraud Prevention Group (SFPG). Etsi additionally famous that Tetra-based radio patrons are free to deploy different options for E2EE over the radio.
The findings are additionally in step with the invention of three flaws in attackers’ cellular Tetra radio that permit attackers with bodily entry to the system to attain rogue code execution –
- CVE-2025-52945 – Faulty file administration restrictions
- CVE-2025-8458 – Inadequate key entropy for SD card encryption
- Removing of all Tetra and Tetra E2EE key supplies (no CVE, placeholder identifier assigned, apart from device-specific key Ok MBPH-2025-003))
The CVE-2025-52945 and CVE-2025-8458 patches are anticipated to be obtainable within the third quarter of 2025, and we suggest that customers implement an enhanced Tetra Key Administration Coverage. Then again, MBPH-2025-003 can’t be improved attributable to architectural restrictions.
“The vulnerability permits attackers to acquire code execution on Sepura Gen 3 units,” the corporate mentioned. “Assault situations that includes CVE-2025-8458 contain persistent code execution by way of entry to the system’s SD card. The exploitation of CVE-2025-52945 is even simpler, because it solely requires quick access to the system’s PEI connector.”
“From the premise of code execution, a number of assault situations might be carried out, together with eradicating the TETRA key materials (MBPH-2025-003) and protracted backdoor embedding into wi-fi firmware. It will end in a lack of the confidentiality and integrity of the TETRA communication.”
