CVE-2025-54792 in LocalSend
Summary
by MITRE • 08/02/2025
LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/03/2025
The vulnerability described in CVE-2025-54792 affects LocalSend, an open-source application designed for secure file and message sharing between nearby devices over local networks without internet connectivity. This application operates under the assumption that devices within the same network segment can be trusted, creating a fundamental security gap in its discovery protocol implementation. The flaw exists in versions 1.16.1 and earlier, where the software fails to properly authenticate devices during the network discovery process, allowing malicious actors to exploit this weakness through a man-in-the-middle attack vector that undermines the application's core security premise.
The technical flaw manifests in the application's lack of proper device authentication mechanisms within its discovery protocol, which is classified as a weakness under CWE-300, "Communication Channel Security Vulnerability." The vulnerability enables an unauthenticated attacker positioned on the same local network to impersonate legitimate devices by exploiting the absence of cryptographic verification or secure authentication during the initial device handshake process. This allows the attacker to silently intercept all file transfers between legitimate users, as the discovery protocol does not validate the identity of devices attempting to establish connections. The attack can be executed with minimal technical expertise and network access, making it particularly dangerous in environments where users trust their local network connections.
The operational impact of this vulnerability is severe and multifaceted, as it directly compromises the confidentiality, integrity, and availability of data shared through LocalSend. An attacker can not only read sensitive information but also modify files during transfer, potentially injecting malware such as ransomware into legitimate file exchanges. This capability represents a significant threat to data integrity and can lead to substantial financial and operational losses for affected organizations. The attack is particularly insidious because it operates silently without alerting users to the compromise, making detection extremely difficult and allowing for prolonged unauthorized access to shared resources. The vulnerability affects all file transfer operations within the LocalSend ecosystem, regardless of file type or size, creating a comprehensive security breach that undermines the entire application's security model.
Mitigation efforts should focus on immediate deployment of the patched version 1.17.0, which addresses the authentication weakness in the discovery protocol through proper cryptographic verification mechanisms. Organizations should also implement network segmentation strategies to isolate critical systems from general network access, reducing the attack surface for such local network-based threats. Network monitoring tools should be deployed to detect unusual device discovery patterns or unexpected network traffic that might indicate an active MitM attack. Additionally, security awareness training should emphasize the importance of verifying device identities even in trusted network environments, as this vulnerability demonstrates how seemingly secure local network communications can be compromised through basic authentication failures. The fix aligns with ATT&CK technique T1566.002, "Phishing: Spearphishing Attachment," by addressing the attack vector that enables unauthorized access to network resources through compromised device identity validation, requiring organizations to implement proper network security controls and maintain updated software versions to prevent such attacks from succeeding.