Authentication and Authorization Bypass in Meshtastic MQTT Protocol
CVE-2024-47078

9.8CRITICAL

Key Information:

Vendor: Meshtastic
Status: Meshtastic Firmware
Vendor: CVE Published:; 25 September 2024

What is CVE-2024-47078?

The Meshtastic firmware, designed for decentralized mesh networking, contains vulnerabilities in its MQTT implementation that allow for both authentication and authorization bypass. Prior to the release of version 2.5.1, these weaknesses made it possible for attackers to gain unauthorized control over MQTT-connected nodes, jeopardizing the security and integrity of the communication within the network. Users are advised to update to version 2.5.1 or later to mitigate these risks and ensure the proper functioning of their device's security protocols.

References

https://github.com/meshtastic/firmware/security/advisorie...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 25, 2024