Overview An attacker can reliably identify and block Viber’s Cloak‑mode proxy traffic because the feature uses a static, easily fingerprinted TLS ClientHello, which could result in blocking and may result in denial of service. Description Rakuten Viber's Proxy (Cloak mode) in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 exhibits a flaw in its TLS handshake implementation. Cloak mode is designed to hide the fact that a proxy or VPN is in use. However, the Cloak proxy mode ClientHello fingerprint is rigid and lacks extension diversity, making it trivially identifiable by Deep Packet Inspection (DPI) systems. This undermines the effectiveness of domain fronting and enables network-level blocking of Viber traffic in restrictive environments. The issue compromises censorship circumvention capabilities and in specific instances, may result in denial of service. Impact The Cloak-mode proxy traffic fails to hide the use of a proxy. The outgoing data is easily identifiable due to the rigid finger print and no longer appears to be normal browser TLS behavior. The user has no indication the proxy is not protecting their data or Solution For continued support, implement automatic updates for Viber Windows clients. The current version is 27.3.0.0. The Android mobile version in version 27.2.0.0g. Acknowledgements Thanks to the reporter Oleksii Gaienko, an independent security researcher.This document was written by Laurie Tyzenhaus. Vendor Information One or more vendors are listed for this advisory. Please reference the full report for more information. References https://www.viber.com/en/download/ https://www.viber.com/en/download-android-update/ Other Information CVE IDs: CVE-2025-13476 Date Public: 2026-02-18 Date First Published: 2026-03-05 Date Last Updated: 2026-03-05 16:50 UTC Document Revision: 1 About vulnerability notes Contact us about this vulnerability Provide a vendor statement