CVE-2025-55293
📋 TL;DR
This vulnerability allows an attacker to impersonate legitimate nodes in a Meshtastic mesh network by manipulating public key assignments. Attackers can first send a NodeInfo packet with an empty public key to clear existing keys, then send a new malicious key to take over node identities. All Meshtastic users running versions before 2.6.3 are affected.
💻 Affected Systems
- Meshtastic firmware
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise where attackers impersonate any node, intercept all communications, inject malicious data, and potentially disrupt critical infrastructure relying on mesh networking.
Likely Case
Attackers impersonate nodes to intercept sensitive communications, inject false data, or disrupt network operations in affected mesh deployments.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still allows localized impersonation attacks within mesh segments.
🎯 Exploit Status
Exploitation requires network access to send crafted NodeInfo packets but no authentication. The technique is documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.3
Vendor Advisory: https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2
Restart Required: Yes
Instructions:
1. Download Meshtastic firmware version 2.6.3 or later from official sources. 2. Flash the firmware to all affected devices. 3. Verify all devices are running patched version.
🔧 Temporary Workarounds
Network segmentation
allIsolate Meshtastic networks from untrusted networks to prevent external attackers from accessing mesh traffic.
Monitor for key changes
allImplement monitoring to detect unexpected public key changes in NodeDB entries.
🧯 If You Can't Patch
- Segment mesh networks from untrusted networks and internet access
- Implement strict network monitoring for abnormal NodeInfo packets and key changes
🔍 How to Verify
Check if Vulnerable:
Check firmware version on Meshtastic devices. If version is below 2.6.3, the device is vulnerable.Check Version:
Use Meshtastic client or device interface to check firmware versionVerify Fix Applied:
Confirm firmware version is 2.6.3 or higher on all devices. Test by attempting to send crafted NodeInfo packets (in controlled environment) to verify they are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple NodeInfo packets from same source with empty public keys followed by new keys
- Unexpected public key changes in NodeDB
Network Indicators:
- Unusual NodeInfo packet patterns
- Rapid succession of NodeInfo packets with key manipulation
SIEM Query:
source="meshtastic" AND (event="NodeInfo" AND (public_key="" OR key_change="true"))