CVE-2025-52464 – This vulnerability in Meshtastic firmware allow... (How to Fix)

Q: What is the severity of CVE-2025-52464?

CVE-2025-52464 has a CVSS score of 8.3 (HIGH). This vulnerability in Meshtastic firmware allows attackers to decrypt direct messages when they have compiled a list of compromised cryptographic keys. It affects users running Meshtastic firmware versions 2.5.0 through 2.6.10 on devices with duplicated vendor keys or low-entropy key generation.

📋 TL;DR

This vulnerability in Meshtastic firmware allows attackers to decrypt direct messages when they have compiled a list of compromised cryptographic keys. It affects users running Meshtastic firmware versions 2.5.0 through 2.6.10 on devices with duplicated vendor keys or low-entropy key generation.

💻 Affected Systems

Products:

Meshtastic firmware

Versions: 2.5.0 to 2.6.10

Operating Systems: Embedded systems running Meshtastic

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices from multiple hardware vendors where flashing procedures resulted in duplicated keys, and platforms with insufficient randomness pool initialization.

📦 What is this software?

Meshtastic Firmware by Meshtastic

View all CVEs affecting Meshtastic Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

All direct messages sent by affected devices could be intercepted and decrypted by attackers who have obtained the list of compromised keys, leading to complete loss of message confidentiality.

🟠

Likely Case

Attackers with access to the compromised key list can decrypt some direct messages from vulnerable devices, exposing sensitive communications.

🟢

If Mitigated

With patched firmware and key rotation, only messages sent before patching remain potentially decryptable.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires compiling a list of compromised keys and capturing encrypted direct messages. The advisory suggests attackers may have already compiled such lists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.11 (partial), 2.6.12 (complete)

Vendor Advisory: https://github.com/meshtastic/firmware/security/advisories/GHSA-gq7v-jr8c-mfr7

Restart Required: Yes

Instructions:

1. Update Meshtastic firmware to version 2.6.12 or later. 2. Follow device-specific flashing procedures. 3. The firmware will automatically detect and wipe compromised keys in version 2.6.12.

🔧 Temporary Workarounds

Complete Device Wipe

all

Performs a factory reset to remove vendor-cloned keys and generate new cryptographic keys.

Device-specific wipe procedure (consult hardware vendor documentation)

🧯 If You Can't Patch

Disable direct messaging functionality on affected devices
Isolate vulnerable devices from sensitive communications networks

🔍 How to Verify

Check if Vulnerable:

Check firmware version via device admin interface. Versions 2.5.0 through 2.6.10 are vulnerable.

Check Version:

Device-specific command via serial or admin interface (typically 'version' or similar)

Verify Fix Applied:

Confirm firmware version is 2.6.12 or later and check for warning messages about compromised keys (which should be automatically wiped in 2.6.12).

📡 Detection & Monitoring

Log Indicators:

Warning messages about compromised key detection
Key generation events during initial setup

Network Indicators:

Unusual decryption attempts on encrypted direct messages
Traffic patterns suggesting key enumeration

SIEM Query:

Search for 'compromised key' or 'key warning' in Meshtastic device logs

📊 Metadata

CVE ID: CVE-2025-52464

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-331

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: June 19, 2025

Last Updated: October 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52464, you might also want to check these: