CISA alerts on Viber cloak mode TLS fingerprinting

Rakuten Viber’s Proxy feature known as Cloak mode on Android and Windows relies on a static Transport Layer Security (TLS) ClientHello fingerprint, which allows that traffic to be identified and can result in network-level blocking and possible Denial of Service (DoS).

The issue is tracked as CVE-2025-13476 and appears in Rakuten Viber's Proxy (Cloak mode) on Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0; it stems from a flaw in the TLS handshake implementation. The Cloak proxy mode ClientHello fingerprint is rigid and lacks extension diversity, making it identifiable by Deep Packet Inspection systems and undermining domain fronting.

The advisory states the Cloak-mode proxy traffic fails to hide the use of a proxy, and that the outgoing data is easily identifiable due to the rigid fingerprint and no longer appears to be normal browser TLS behavior. The document notes the issue compromises censorship circumvention capabilities, enables network-level blocking of Viber traffic in restrictive environments, and in specific instances may result in DoS; the user has no indication the proxy is not protecting their data.

For continued support, the advisory recommends implementing automatic updates for Viber Windows clients. The advisory lists the current Windows version as 27.3.0.0 and the Android mobile version as 27.2.0.0g.

The document includes vendor information and references, including Viber download and update pages, a Cloak project repository, and a Viber help article; it directs readers to reference the full report for more information and provides options to contact the advisory authors about the vulnerability and to provide a vendor statement.

Aviz Networks Podcast Recap Explores AI’s Edge and Networking Focus

Huawei Releases Xinghe AI Full-Scope Security Campus White Paper

Cognizant Named Aston Martin Aramco Formula One Team Global AI Services Partner