Overview
A security vulnerability, identified as CVE-2025-13524, has been discovered in AWS Wickr, Wickr Gov, and Wickr Enterprise desktop applications running on Windows, macOS, and Linux. This vulnerability allows a call participant to potentially continue receiving audio input from another user after they have closed their call window. This issue, classified as a medium severity flaw, can be exploited under specific circumstances requiring user interaction.
Technical Details
The core of CVE-2025-13524 lies in an improper resource release during the call termination process within AWS Wickr. Under certain conditions, when a user takes a specific action within the application while ending a call, the audio stream from the other participant might not be fully terminated. This leaves the affected user’s microphone active and streaming audio to the user who believes the call has ended. The exact sequence of actions required to trigger this vulnerability requires further investigation, but the potential for unintended audio capture is present.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigned a score of 5.7 (MEDIUM) to CVE-2025-13524. This score reflects the potential impact of the vulnerability and the relative difficulty of exploitation. While the vulnerability requires specific conditions to be met, the potential for audio leakage warrants immediate attention.
Possible Impact
The exploitation of CVE-2025-13524 can lead to several serious consequences:
- Privacy Breach: Sensitive conversations may be unintentionally recorded and transmitted to another user without their knowledge.
- Confidentiality Compromise: Business secrets or private discussions could be exposed.
- Reputational Damage: Discovery of the vulnerability being exploited could severely damage trust in AWS Wickr and its security posture.
Mitigation or Patch Steps
The recommended mitigation for CVE-2025-13524 is to immediately upgrade AWS Wickr, Wickr Gov, and Wickr Enterprise desktop applications to version 6.62.13 or later. This version contains the necessary fix to properly handle resource release during call termination and prevents the audio leak from occurring.
- Download the latest version: Visit the AWS Wickr download page to obtain version 6.62.13 or later.
- Install the update: Follow the installation instructions provided for your operating system (Windows, macOS, or Linux).
- Verify the update: After installation, confirm that you are running version 6.62.13 or later by checking the “About” section of the application.
References
- CVE-2025-13524: [NIST CVE Database (Hypothetical Future entry)] (https://nvd.nist.gov/vuln/detail/CVE-2025-13524)
- AWS Security Bulletin: https://aws.amazon.com/security/security-bulletins/AWS-2025-029/
- AWS Wickr Download: https://aws.amazon.com/wickr/downloads/
