- Description
- Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those message could be captured and decrypted by an attacker that has compiled the list of compromised keys. This issue has been patched in version 2.6.11 where key generation is delayed til the first time the LoRa region is set, along with warning users when a compromised key is detected. Version 2.6.12 furthers this patch by automatically wiping known compromised keys when found. A workaround to this vulnerability involves users doing a complete device wipe to remove vendor-cloned keys.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-331
- Hype score
- Not currently trending
Actively exploited CVE : CVE-2025-52464
@transilienceai
25 Jun 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Critical flaw in Meshtastic's cryptography allows attackers to decrypt messages & hijack nodes via duplicated keys & weak randomness. Firmware 2.6.11 fixes key issues. Stay alert! 🔐 #CVE-2025-52464 #LoRa #Australia https://t.co/mDfY59swOh
@TweetThreatNews
23 Jun 2025
88 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A critical cryptographic flaw in Meshtastic (CVE-2025-52464) allows message decryption and node hijacking due to duplicated/low-entropy keys. Update to 2.6.11 or later immediately. #Meshtastic #LoRaSecurity #Cybersecurity #Vulnerability #Cryptography https://t.co/Fy4cJ8NfUm
@the_yellow_fall
23 Jun 2025
653 Impressions
7 Retweets
13 Likes
1 Bookmark
0 Replies
0 Quotes
Warning: Critical severity vulnerability (CVE-2025-52464) in # Meshtastic firmware risks duplicated encryption keys, allowing attackers to decrypt private messages. More info at: https://t.co/h3UuE242KT #patch #patch
@CCBalert
20 Jun 2025
173 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-52464 Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in du… https://t.co/KdqucoCuOo
@CVEnew
19 Jun 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes