CVE-2025-55292
Unknown Unknown - Not Provided

NodeID Spoofing in Meshtastic Enables Persistent HAM Mode Hijacking

Vulnerability report for CVE-2025-55292, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-03-02
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
meshtastic meshtastic_firmware to 2.7.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Meshtastic arises because nodes are identified by their NodeID generated from the MAC address rather than their public key. An attacker can exploit the HAM mode, which does not use encryption, by forging a NodeInfo message that claims HAM mode is enabled for a victim node. This causes other nodes to accept the forged information and overwrite their NodeDB, forcing them to send direct messages to the victim using the shared channel key instead of the more secure public key cryptography. The attacker can also modify node details like full name and short code. The attack can be maintained by repeatedly sending the forged NodeInfo, especially after the victim sends their own.

Impact Analysis

This vulnerability can impact you by allowing an attacker to intercept and manipulate communications within the mesh network. Because HAM mode lacks confidentiality and authentication, the attacker can force nodes to use less secure communication methods, potentially exposing sensitive information. Additionally, the attacker can alter node details, which may lead to misinformation or impersonation within the network. This undermines the security and trustworthiness of the mesh network communications.

Mitigation Strategies

Apply the available patch by upgrading Meshtastic to version 2.7.6.834c3c5 or later to fix the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart