Cyber security researchers have discovered a new set of safety issues in the TETRA communication protocol with terrestrial trunk, including its ownership end-to-end encryption (E2E) mechanism that exposes the system re-play and brut-form attacks, and even decryps.
Description of weaknesses – dubbed 2TETRA: 2burst – Midnight Blue Researchers were presented at the Black Hat USA Security Conference last week by Karlo Major, Wautter Bokslag and Jose Wetzels.
Tetra is a European mobile radio standard standard widely used by operators of law enforcement, military, transport, utilities and significant infrastructure. It was developed by the European Telecommunications Standards Institute (ETSI). It includes four encryption algorithms: Tea1, Tea2, Teat3, and Tea4.
Two years after the Netherland -based cyber security company discovered a set of security weaknesses at the Tetra standard, it was revealed that the tetra: burst, count, counting, which was “deliberately described as the back door”, which could be exploited for sensitive information.
The newly discovered issues relate to a case of packet injections in Tetra, as well as an insufficient fix for CVE-2022-24401, one of the five tetra: one of the issues of bursting, one of the bursting issues, to prevent the casterim recovery attacks. Recognized issues are listed below –
- Cve-2025-52940 -Tetra end-to-end Encrypted Voice Streams are unsafe for replay attacks. In addition, an attacker that has no knowledge of the key can inject arbitrary voice streams, which is played uninterruptedly from authentic traffic by legitimate call recipients.
- Cve-2025-52941 -Tetra End-to-end Encryption algorithm ID 135 refers to a deliberate weakened AES-128 implementation, with its effective traffic key entrape to 128 to 56 bits, which makes it unsafe for brut-form attacks.
- Cve-2025-52942 -End-to-end Encrypted Tetra SDS messages have no repletes protection, which allows arbitrary recurrence of messages for humans or machines.
- Cve-2025-52943 – Tetra networks that support many air interface encryption algorithms are unsafe for significant recovery attacks because the SCK/CCK Network key is the same for all supported algorithms. When TEA1 is supported, the key to easily recovered Tea1 (CVE-2022-24402) can be used to decry or inject the Tea2 or Te3 traffic on the network.
- Cve-2025-52944 – Tetra Protocol lacks the message authentication and therefore allows for injection of arbitrary messages such as voice and data.
- ETSI’s fix for CVE-2022-24401 is ineffective in the prevention of keystream recovery attacks (no cve is assigned to a placeholder identifier Mbph-2025-001,
Midnight Blue stated that 2TETRA influence: 2burst depends on the use-melas and configuration aspects of each particular tetra network, and that the netra using Tetra in data-business capacity is particularly susceptible to packet injection attacks, possibly allowing the attackers to engage radio communication and malicious data traffic.
The company said, “Voice replays or injection landscapes (CVE-2025-52940) can create confusion among legitimate users, which can be used as a amplifier factor in massive attacks,” the company said. “Tetra E2EE user (also that sepura embedded E2ee) should be validated in any case whether they can use a weak 56-bit variant (CVE-2025-52941).”
“Downlink traffic injection is usually possible using a plaintext traffic, as we found that the radio will be accepted and also processed unnovated downlink traffic on the encrypted network. For the uplink traffic injection, the key is needed to recover.”
https://www.youtube.com/watch?v=etmn23izabw
There is no evidence of exploiting these weaknesses in the wild. He said, there are no patch to address the deficiencies with the exception of MBPH-2025-001, for which a fix is expected to be released.
Mitigations for other defects are listed below –
- Cve-2025-52940, cve-2025-52942 – Migrate for investigation, secure e2ee solution
- Cve-2025-52941 – Migrate on non-leaked E2ee variants
- Cve-2025-52943 – Disable TEA1 support and rotate all AIE key
- Cve-2025-52944 – When tetra is used in the ability to carry a data: add TLS/VPN layer at the top of the tetra
“If you operate or use a tetra network, you are certainly affected by the CVE-2025-52944, in which we display that it is possible to inject malicious traffic in the tetra network, even with the enclosure of the Encrystation and/or Encryption,” said the Mudnight Blue.
“In addition, the CVE-2022-24401 probability affects you, as it allows opponents to collect caste creates for either privacy or integrity violations. If you operate a multi-refier network, CVE-2025-52943, a significant security risk.”
In a statement shared with Wired, ETSI stated that the E2EE mechanisms used in Tetra-based radio are not part of the ETSI standard, adding it to the Critical Communications Association (TCCA) security and fraud Prevention Group (SFPG). Etsi also said that the buyers of Tetra-based radio are free to deploy other solutions for E2Ee on their radio.
Conclusions also coincide with the discovery of three flaws in the Sepura SC20 series of mobile tetra radio that allow the attackers with physical access to the device to achieve unauthorized code execution –
- Cve-2025-52945 – Lossed File Management Ban
- Cve-2025-8458 – Inadequate key entropy for SD card encryption
- Device-specific key k (no cve, assign a placeholder identifier Mbph-2025-003,
The patch for CVE-2025-52945 and CVE-2025-8458 is expected to be made available in the third quarter of 2025, it is necessary to ensure that users are advised to implement enhanced Tetra major management policies. On the other hand, MBPH-2025-003, it cannot be removed due to architectural boundaries.
The company said, “The weaknesses enable an attacker to obtain code execution on the Sepura General 3 devices,” the company said. “Cove-2025-8458 characteristic attacks include persistent code execution through access to SD cards of the device. The misuse of CVE-2025-52945 is even more straightforward as it requires only brief access to the PEI connector of the device.”
“From the basis of code execution, many attack landscapes are viable, such as exfILTION of Tetra major materials (MBPH -2025-003) or a frequent backward implantation in radio firmware. This causes loss of confidentiality and integrity of Tetra communication.”
