CVE-2024-45038 – This CVE describes a denial-of-service vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-45038?

CVE-2024-45038 has a CVSS score of 7.5 (HIGH). This CVE describes a denial-of-service vulnerability in Meshtastic device firmware's MQTT handling. Attackers can crash devices by sending malicious MQTT messages, disrupting mesh network communications. All Meshtastic users are affected, particularly those connecting to private MQTT servers.

📋 TL;DR

This CVE describes a denial-of-service vulnerability in Meshtastic device firmware's MQTT handling. Attackers can crash devices by sending malicious MQTT messages, disrupting mesh network communications. All Meshtastic users are affected, particularly those connecting to private MQTT servers.

💻 Affected Systems

Products:

Meshtastic device firmware

Versions: All versions before 2.4.1

Operating Systems: Embedded firmware for Meshtastic devices

Default Config Vulnerable: ⚠️ Yes

Notes: Devices connecting to private MQTT servers are particularly vulnerable, but all Meshtastic devices with MQTT enabled are affected.

📦 What is this software?

Meshtastic Firmware by Meshtastic

View all CVEs affecting Meshtastic Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of mesh network communications, rendering all affected devices unresponsive and requiring physical reset or reflashing.

🟠

Likely Case

Targeted devices become unresponsive and drop from the mesh network, requiring manual intervention to restore functionality.

🟢

If Mitigated

No impact if devices are updated to patched firmware version before exploitation attempts occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted MQTT messages to vulnerable devices, which can be done by anyone with network access to the device or MQTT broker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1

Vendor Advisory: https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5

Restart Required: Yes

Instructions:

1. Download Meshtastic firmware version 2.4.1 or later from official sources. 2. Flash the firmware to all Meshtastic devices using appropriate flashing tools. 3. Verify successful update and device functionality.

🧯 If You Can't Patch

Disable MQTT functionality on all devices if not required for operations
Isolate Meshtastic devices on separate network segments with strict firewall rules limiting MQTT traffic

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via Meshtastic app or web interface. If version is below 2.4.1, device is vulnerable.

Check Version:

Use Meshtastic app or web interface to view device information and firmware version.

Verify Fix Applied:

Confirm device firmware version is 2.4.1 or higher via Meshtastic interface and verify MQTT connectivity remains stable.

📡 Detection & Monitoring

Log Indicators:

Device crash logs
Unexpected device reboots
MQTT connection failures

Network Indicators:

Unusual MQTT traffic patterns to Meshtastic devices
Devices dropping from network unexpectedly

SIEM Query:

Search for MQTT protocol anomalies or device disconnection events from Meshtastic devices

📊 Metadata

CVE ID: CVE-2024-45038

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

Published: August 27, 2024

Last Updated: October 21, 2025

🔗 References

https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45038, you might also want to check these: