CVE-2025-55292
Unknown Unknown - Not Provided
NodeID Spoofing in Meshtastic Enables Persistent HAM Mode Hijacking

Publication date: 2026-01-28

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-03-02
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55292
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
meshtastic meshtastic_firmware to 2.7.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Meshtastic arises because nodes are identified by their NodeID generated from the MAC address rather than their public key. An attacker can exploit the HAM mode, which does not use encryption, by forging a NodeInfo message that claims HAM mode is enabled for a victim node. This causes other nodes to accept the forged information and overwrite their NodeDB, forcing them to send direct messages to the victim using the shared channel key instead of the more secure public key cryptography. The attacker can also modify node details like full name and short code. The attack can be maintained by repeatedly sending the forged NodeInfo, especially after the victim sends their own.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to intercept and manipulate communications within the mesh network. Because HAM mode lacks confidentiality and authentication, the attacker can force nodes to use less secure communication methods, potentially exposing sensitive information. Additionally, the attacker can alter node details, which may lead to misinformation or impersonation within the network. This undermines the security and trustworthiness of the mesh network communications.


What immediate steps should I take to mitigate this vulnerability?

Apply the available patch by upgrading Meshtastic to version 2.7.6.834c3c5 or later to fix the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart