Cyber Resilience

CVE-2025-53637

Medium

Published: 10 July 2025

Published
10 July 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v3.1 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
EPSS Score 0.0023 45.6th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53637 is a medium-severity OS Command Injection (CWE-78) vulnerability in Meshtastic Meshtastic Firmware. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the…

more

shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1677 Poisoned Pipeline Execution Execution
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.
Why these techniques?

Vulnerability enables command injection (T1059.004) in GitHub Actions shell code via unsafe interpolation of user-controlled inputs like branch names on pull_request_target trigger, facilitating poisoned pipeline execution (T1677) and software supply chain compromise (T1195.002) by injecting unauthorized code into the repository.

Affected Assets

meshtastic
meshtastic firmware
≤ 2.6.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References