If you're a journalist in Belarus, an activist in Iran, or simply someone trying to communicate privately in a country that monitors its citizens' internet traffic, you may have trusted Viber's "Cloak mode" to keep you hidden — but a newly disclosed critical vulnerability means that protection was never really there.
Who Is at Risk — and How Many People
Rakuten Viber is one of the world's most widely used messaging apps, with over 1.1 billion registered users and a particularly strong user base across Eastern Europe, the Middle East, and Southeast Asia — regions where government internet surveillance and censorship are everyday realities. Viber's "Cloak mode" is a specific feature designed for users in those high-risk environments. It's meant to disguise Viber's network traffic so it looks like ordinary, innocent internet activity, slipping past government surveillance systems undetected.
CVE-2025-13476, rated CVSS 9.8 (Critical), affects Viber for Android version 25.7.2.0g and Viber for Windows versions 25.6.0.0 through 25.8.1.0. That's a broad window of exposure covering tens of millions of devices actively used in countries where being caught circumventing censorship carries serious legal — or physical — consequences.
What the Flaw Actually Does: The Digital Equivalent of a Disguise That Doesn't Work
Imagine you're trying to sneak into a restricted building by wearing a convincing disguise — a different uniform, a fake badge. Cloak mode is supposed to be that disguise for your internet traffic. When you send a message or make a call through Viber in Cloak mode, the app is meant to route that traffic through a proxy server in a way that makes it look like boring, routine web activity that censorship systems won't bother blocking.
The problem is that the disguise is identical on every single person who wears it. When your device first reaches out to establish a secure connection, it sends what's called a digital "handshake" — a greeting that announces what kind of software is talking. A well-designed system randomizes this greeting so it looks different each time, blending in with the millions of other connections happening on the internet every second. Viber's Cloak mode, however, uses the exact same handshake, every time, on every device. It's like every spy in the organization being issued the same fake mustache. The authorities just learn what the mustache looks like, and the disguise is blown forever.
Government-operated network monitoring systems — the kind deployed at internet chokepoints in countries like China, Russia, and Iran — are specifically built to recognize these patterns. Once they've catalogued Viber's signature handshake, they can instantly identify and block every Cloak mode connection in the country without even needing to read the contents of the messages. Worse, in some regimes, the act of trying to circumvent censorship is itself a crime. This flaw doesn't just fail to protect users — it may actively flag them.
The Technical Anchor: Static TLS ClientHello Fingerprint (CWE-327)
For security researchers, the specific failure here is a static, non-randomized TLS ClientHello fingerprint with insufficient extension diversity — classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). When a TLS connection is initiated, the ClientHello message advertises supported cipher suites, extensions, elliptic curves, and compression methods in a specific order. Tools like JA3 fingerprinting hash these parameters into a unique identifier for the client software. Because Viber's Cloak mode uses a static, predictable configuration with no extension shuffling or GREASE values, its JA3 hash is consistent and trivially enumerable by any Deep Packet Inspection (DPI) system. Properly implemented censorship-circumvention tools — such as Tor's pluggable transports or well-hardened VPN clients — deliberately randomize or mimic common browser TLS profiles to defeat exactly this class of fingerprint-based blocking. Viber did neither.
Has This Been Exploited? What We Know
As of publication, no confirmed active exploitation has been reported — but that framing requires important context. This vulnerability doesn't follow the typical exploit model where an attacker "uses" a flaw to break into a system. The flaw is the ineffectiveness of the protection itself. Any government or ISP running DPI infrastructure — a very low technical bar — could have been passively and silently identifying Cloak mode users since these versions were released. There's no "attack" to detect or log. Users would have had no indication their protection was failing.
The vulnerability was disclosed under CVE-2025-13476. At time of writing, Rakuten Viber has not issued a public statement, and no independent researchers have publicly claimed discovery credit. Security teams and human rights organizations monitoring censorship circumvention tools — including groups like Citizen Lab and the Electronic Frontier Foundation — have historically flagged similar implementation failures in other privacy tools. Given the geography of Viber's user base, this flaw should be treated as a live risk for at-risk populations right now, regardless of whether a formal "campaign" has been documented.
"The absence of confirmed exploitation isn't the same as safety — it may simply mean the exploitation is invisible by design."
What You Should Do Right Now
Whether you're a regular user, a security administrator, or an at-risk individual in a censored region, here are three concrete steps to take immediately:
-
Update Viber immediately — and verify the version number.
Open Viber, go to Settings → About and confirm you are running a version higher than 25.7.2.0g on Android or higher than 25.8.1.0 on Windows. Do not assume an automatic update has run — manually check your app store or Viber's official download page. If a patched version is not yet available for your platform, proceed to step two without delay. -
Disable Cloak mode until a verified patch is confirmed.
If you are currently relying on Viber's Cloak mode for safety in a high-censorship or high-surveillance environment, stop using it immediately. A broken protection is worse than no protection, because it creates false confidence. For censorship circumvention, consider switching to tools with independently audited obfuscation, such as Tor Browser with obfs4 bridges or a reputable VPN with documented TLS fingerprint randomization, until Viber issues a verified fix with release notes addressing this specific CVE. -
If you manage a fleet or serve at-risk users, issue guidance now.
Security administrators at NGOs, newsrooms, and civil society organizations operating in censored regions should treat this as an active incident. Push communications to affected users explaining that Cloak mode is not currently reliable. Document which staff or contacts may have been using vulnerable versions — Android 25.7.2.0g, Windows 25.6.0.0 through 25.8.1.0 — and assess whether any communications sent under the assumption of Cloak protection should be considered potentially observable by network-level adversaries.
The Bottom Line
Security tools built for vulnerable populations carry an outsized moral weight. When a VPN leaks or a fingerprint is predictable, the cost isn't an inconvenience — it can be an arrest, a beating, or worse. CVE-2025-13476 is a reminder that promising censorship circumvention without rigorous, independently verified implementation isn't a feature. It's a liability. Rakuten Viber owes its most at-risk users a fast, transparent, and technically thorough fix — and until that fix arrives with proof, those users should act as if the cloak was never there.