{"vuid":"VU#772695","idnumber":"772695","name":"A flawed TLS handshake implementation affects Viber Proxy in multiple platforms","keywords":null,"overview":"### Overview\r\nThe Rakuten Viber messaging app for Android V25.7.2.0g and Windows V25.6.0.0-V25.8.1.0, has a flaw in its TLS handshake implementation when using the Cloak proxy configuration. This flaw allows for easy identification of proxy usage, potentially compromising user anonymity.\r\n\r\n### Description\r\nRakuten Viber can be configured to use a proxy server. Multiple proxy configurations, including Cloak, are supported. Rakuten Viber in Android V25.7.2.0g and Windows V25.6.0.0–V25.8.1.0 exhibits a flaw in the TLS handshake implementation for Cloak mode. Cloak mode is designed to hide the fact that a proxy or VPN is in use. \r\nHowever, the Cloak proxy mode has a rigid and easily identified fingerprint, making it trivially identifiable by Deep Packet Inspection (DPI) systems. This allows networks to block Viber traffic, undermining the app's ability to circumvent censorship and potentially leading to denial of service in certain cases.\r\n\r\n### Impact\r\nThe Cloak-mode proxy traffic fails to hide the use of a proxy. The outgoing data is easily identifiable due to the rigid fingerprint and no longer appears to be normal browser TLS behavior. The user has no indication the proxy is not protecting their data.\r\n\r\n### Solution\r\nWindows users should upgrade to V27.3.0.0 or later, and Android users should upgrade to V27.2.0.0g or later. \r\nFor continued support, Windows users can implement automatic updates for Viber.\r\n\r\n### Acknowledgements\r\nThanks to the reporter Oleksii Gaienko, an independent security researcher. This document was written by Laurie Tyzenhaus.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.viber.com/en/download/","https://www.viber.com/en/download-android-update/"],"cveids":["CVE-2025-13476"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-03-05T16:50:31.124517Z","publicdate":"2026-02-18T00:00:00Z","datefirstpublished":"2026-03-05T16:50:31.145152Z","dateupdated":"2026-03-05T19:19:33.207721Z","revision":3,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":177}