CVE-2025-53627
CVE-2025-53627 is a medium-severity vulnerability in Meshtastic Meshtastic Firmware with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1287.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 0% (9th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-205605
- Weakness: CWE-1287
- Affected product: Meshtastic Meshtastic Firmware
- Published:
- Last modified:
Description
Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue.
Frequently asked questions
- What is CVE-2025-53627?
- Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue.
- How severe is CVE-2025-53627?
- CVE-2025-53627 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2025-53627 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (9th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-53627?
- CVE-2025-53627 affects Meshtastic Meshtastic Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-53627?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-53627 have an EU (EUVD) identifier?
- Yes. CVE-2025-53627 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-205605.
- When was CVE-2025-53627 published?
- CVE-2025-53627 was published on 2025-12-29 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Meshtastic Meshtastic Firmware
- CVE-2025-55293 — Critical (CVSS 9.4): Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty…
- CVE-2025-24797 — Critical (CVSS 9.4): Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid…
- CVE-2025-52464 — High (CVSS 8.3): Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure…
- CVE-2025-55292 — High (CVSS 8.2): Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by…
- CVE-2024-47078 — High (CVSS 8.1): Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an…
- CVE-2024-45038 — High (CVSS 7.5): Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh…
All CVEs affecting Meshtastic Meshtastic Firmware →
Other CWE-1287 vulnerabilities
- CVE-2024-51550 — Critical (CVSS 10.0): Data Validation / Data Sanitization vulnerabilities in Linux allows unvalidated and unsanitized data to be injected in…
- CVE-2024-6298 — Critical (CVSS 10.0): Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series…
- CVE-2026-44935 — Critical (CVSS 9.9): Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before…
- CVE-2024-4879 — Critical (CVSS 9.8): ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now…
- CVE-2021-32024 — Critical (CVSS 9.8): A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an…
- CVE-2026-24307 — Critical (CVSS 9.3): Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information…