A vulnerability in Rakuten Viber’s implementation of a proxy obfuscation feature allows network monitoring systems to easily identify traffic that is supposed to be hidden.
The flaw undermines the app’s ability to bypass censorship and could enable the blocking of Viber communications in restricted networks.
The issue, tracked as CVE-2025-13476 and rated critical, was disclosed in a bulletin by the CERT Coordination Center (CERT/CC). According to the advisory, the problem affects Viber for Android version 25.7.2.0g and Windows versions 25.6.0.0 through 25.8.1.0 when configured to use the Cloak proxy mode. The vulnerability was reported by Oleksii Gaienko, an independent security researcher.
The flaw stems from how Viber performs the TLS handshake when the Cloak proxy configuration is enabled. Cloak mode is designed to disguise proxy or VPN usage by making network traffic appear similar to normal HTTPS connections generated by web browsers. However, CERT/CC found that the implementation produces a static and highly predictable TLS ClientHello fingerprint with limited extension diversity. As a result, the traffic pattern deviates from typical browser behavior and becomes easily recognizable.
Because of this rigid fingerprint, Deep Packet Inspection (DPI) systems, commonly used by network operators, governments, and enterprise security appliances, can reliably detect that the connection is using Viber’s Cloak proxy mode. Once identified, the traffic can be selectively blocked or throttled, defeating the feature’s purpose of bypassing network restrictions.
Rakuten Viber is a widely used messaging and VoIP platform owned by Rakuten Group, a Japanese multinational technology and e-commerce company. The service provides encrypted messaging, voice and video calls, and group communications to hundreds of millions of users worldwide. In some regions with restrictive internet policies, users rely on proxy configurations such as Cloak mode to maintain access to messaging services.
CERT/CC warns that affected users may believe their traffic is being concealed when it is not, as the application provides no indication that the obfuscation mechanism is ineffective. In environments where messaging apps are actively filtered, the flaw may allow network administrators or censors to quickly detect and block Viber communications, potentially leading to service denial for users attempting to circumvent restrictions.
CERT/CC recommends that users update their applications to patched versions where the TLS handshake implementation has been corrected. The advisory specifies the following updates:
- Windows: Upgrade to Viber version 27.3.0.0 or later
- Android: Upgrade to Viber version 27.2.0.0g or later
Windows users are also encouraged to enable automatic updates to ensure the application remains protected against future security issues.
Until systems are updated, users operating in censorship-heavy environments should assume that Cloak mode proxy traffic may be identifiable and blockable by network monitoring tools, potentially exposing attempts to bypass restrictions.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
