CVE-2025-55293
CVE-2025-55293 is a critical-severity vulnerability in Meshtastic Meshtastic Firmware with a CVSS 3.x base score of 9.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.4)
- EPSS exploit prediction: 0% (32nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-25140
- Weakness: CWE-287
- Affected product: Meshtastic Meshtastic Firmware
- Published:
- Last modified:
Description
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
Frequently asked questions
- What is CVE-2025-55293?
- Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
- How severe is CVE-2025-55293?
- CVE-2025-55293 has a CVSS 3.x base score of 9.4, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability low.
- Is CVE-2025-55293 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-55293?
- CVE-2025-55293 affects Meshtastic Meshtastic Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-55293?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2025-55293 have an EU (EUVD) identifier?
- Yes. CVE-2025-55293 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-25140.
- When was CVE-2025-55293 published?
- CVE-2025-55293 was published on 2025-08-18 and last updated on 2026-06-17.
References
- https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744
- https://github.com/meshtastic/firmware/pull/6372
- https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2
Affected products (1)
- cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Meshtastic Meshtastic Firmware
- CVE-2025-24797 — Critical (CVSS 9.4): Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid…
- CVE-2025-52464 — High (CVSS 8.3): Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure…
- CVE-2025-55292 — High (CVSS 8.2): Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by…
- CVE-2024-47078 — High (CVSS 8.1): Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an…
- CVE-2024-45038 — High (CVSS 7.5): Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh…
- CVE-2024-47065 — Medium (CVSS 6.5): Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are…
All CVEs affecting Meshtastic Meshtastic Firmware →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →