Cybersecurity researchers have disclosed a new series of security flaws in the Terrestrial Trunked Radio ( TETRA Encryption ) communications protocol, including weaknesses in its proprietary end-to-end encryption (E2EE) system that could enable replay and brute-force attacks. The findings, named 2TETRA:2BURST, were presented at the Black Hat USA security conference last week by researchers from Midnight Blue, a Netherlands-based cybersecurity company.
Widespread Use of TETRA Encryption
TETRA Encryption , developed by the European Telecommunications Standards Institute (ETSI), is a mobile radio standard widely deployed across law enforcement, military, transportation, utilities, and other critical infrastructure sectors. The protocol supports four encryption algorithms: TEA1, TEA2, TEA3, and TEA4.
The latest disclosure comes two years after Midnight Blue revealed a different set of its in TETRA, known as TETRA:BURST, which included what was described as an intentional backdoor.
Newly Discovered Weaknesses
The 2TETRA:2BURST vulnerabilities involve packet injection flaws, replay attacks, and insufficient fixes for a previously reported issue (CVE-2022-24401) that allowed keystream recovery.
Key vulnerabilities include TETRA Encryption :
- CVE-2025-52940 – end-to-end encryption voice streams vulnerable to replay attacks; attackers could inject arbitrary voice traffic indistinguishable from legitimate calls.
- CVE-2025-52941 – A weakened AES-128 variant reduces effective key entropy to 56 bits, making brute-force attacks feasible.
- CVE-2025-52942 – Lack of replay protection for Short Data Service (SDS) messages.
- CVE-2025-52943 – Identical network keys across multiple algorithms enable cross-decryption attacks if weaker ciphers are supported.
- CVE-2025-52944 – Absence of message authentication allows injection of arbitrary voice and data messages.
Researchers noted that ETSI’s earlier fix for CVE-2022-24401 was ineffective in preventing keystream recovery (placeholder identifier MBPH-2025-001).
Potential Impacts
According to Midnight Blue, the impact of these flaws depends on specific network configurations. Networks that use TET TETRA Encryption A for data transmission are particularly vulnerable, as packet injection could allow adversaries to insert malicious traffic.
Voice injection attacks could cause operational confusion, while the weakened encryption variant (CVE-2025-52941) may allow unauthorized decryption of sensitive communications.
In many cases, radios reportedly accept unencrypted downlink traffic even when operating on encrypted networks, broadening the attack surface.
Mitigation Recommendations
There are currently no comprehensive patches for these its, except for MBPH-2025-001, for which a fix is expected. Researchers recommend:
- Migrating to secure, scrutinized end-to-end encryption solutions (CVE-2025-52940, CVE-2025-52942)
- Avoiding weakened encryption variants (CVE-2025-52941)
- Disabling TEA1 and rotating Air Interface Encryption keys (CVE-2025-52943)
- Adding TLS or VPN layers for data transmission (CVE-2025-52944)
Midnight Blue warned that CVE-2025-52944 likely affects all TETRA operators, enabling malicious traffic injection even when encryption is enabled.
Additional Device Vulnerabilities
The findings also coincide with the disclosure of three flaws in Sepura SC20 series mobile TETRA radios that could allow attackers with physical access to gain code execution:
- CVE-2025-52945 – Defective file management restrictions
- CVE-2025-8458 – Insufficient SD card encryption key entropy
- MBPH-2025-003 – Exfiltration of all TETRA key materials except the device-specific key
Patches for the first two are expected in Q3 2025. The third flaw is considered unfixable due to architectural limitations.
From a code execution standpoint, attackers could potentially implant persistent backdoors or exfiltrate encryption keys, compromising the confidentiality and integrity of communications.
ETSI Response
ETSI stated that the end-to-end encryption mechanism used in certain TETRA Encryption radios is not part of the official ETSI standard, but instead developed by The Critical Communications Association’s security and fraud prevention group. Purchasers of TETRA devices can implement alternative E2EE solutions if desired.
