Open Source Mesh Networking Solution Vulnerability in Meshtastic
CVE-2025-52464

9.5CRITICAL

Key Information:

Vendor

Meshtastic

Status
Firmware
Vendor
CVE Published:
19 June 2025

What is CVE-2025-52464?

The vulnerability in Meshtastic affects versions from 2.5.0 to before 2.6.11, where the flashing procedure by various hardware vendors resulted in the duplication of public/private keys. Moreover, the improper initialization of the internal randomness pool on certain platforms led to low-entropy key generation. As a consequence, attackers capable of compiling lists of compromised keys could intercept and decrypt Direct Messages sent by users with affected key pairs. The issue has been addressed in version 2.6.11 by postponing key generation until the LoRa region is set and alerting users of any detected compromised keys. Version 2.6.12 further enhances security by automatically wiping known compromised keys. Users can also mitigate this vulnerability by performing a complete device wipe to eliminate any vendor-cloned keys.

Affected Version(s)

firmware > 2.5.0, < 2.6.11

References

https://github.com/meshtastic/firmware/security/advisorie...
x_refsource_CONFIRM
https://github.com/meshtastic/firmware/commit/4bf2dd04aee...
x_refsource_MISC
https://github.com/meshtastic/firmware/commit/55b2bbf9375...
x_refsource_MISC

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52464 : Open Source Mesh Networking Solution Vulnerability in Meshtastic