CVE-2025-52464
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meshtastic | meshtastic_firmware | From 2.5.0 (inc) to 2.6.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52464 is a critical vulnerability in the Meshtastic mesh networking firmware where certain hardware vendors' flashing procedures caused duplicated public/private cryptographic key pairs. Additionally, the firmware failed to properly initialize its internal randomness pool on some platforms, leading to low-entropy (weak) key generation. As a result, users with affected keys could have their Direct Messages intercepted and decrypted by attackers who compiled a list of these compromised keys. The vulnerability also allows attackers to impersonate administrators or control nodes if compromised keys are used. The issue has been patched by delaying key generation until the LoRa region is set, improving randomness, warning users about compromised keys, and plans to automatically wipe known compromised keys. Users can also mitigate the issue by performing a full device wipe to remove cloned keys. [3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including: 1) Attackers intercepting and decrypting Direct Messages sent by users with compromised keys, compromising confidentiality. 2) Unauthorized control over Meshtastic nodes if compromised keys are used for remote administration, allowing attackers to impersonate administrators and execute commands. 3) Overall loss of confidentiality and integrity of communications and node control within the mesh network. The vulnerability is rated critical with a high CVSS score, indicating it can be exploited remotely without user interaction and with low complexity. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The Meshtastic firmware includes detection mechanisms for this vulnerability by checking for duplicated or low-entropy cryptographic keys. When a remote device advertises a public key identical to the local device's key, the system logs a warning indicating a potentially compromised key. Users are notified via client notifications to regenerate their keys. Additionally, the firmware checks public keys against a predefined list of known low-entropy key hashes to detect weak keys. To detect compromised keys on your device, you can monitor these warnings in the device logs or client notifications. For a direct command, you can perform a full device wipe and key regeneration using the Meshtastic Python CLI command: `meshtastic --factory-reset-device`, which removes vendor-cloned keys and mitigates the vulnerability. [3, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Meshtastic firmware to version 2.6.11 or later, where the vulnerability is patched by delaying key generation until the LoRa region is set and warning users of compromised keys. Additionally, version 2.6.12 will automatically wipe known compromised keys when detected. Users should perform a complete device wipe using the command `meshtastic --factory-reset-device` via the Python CLI to remove vendor-cloned duplicated keys. For stronger keys, it is recommended to generate high-entropy keys externally using OpenSSL with the command: `openssl genpkey -algorithm x25519 -outform DER | tail -c32 | base64`. These steps help ensure that compromised or low-entropy keys are removed and replaced with secure keys, preventing attackers from decrypting messages or gaining unauthorized control. [3]