CVE-2025-55292
Published: 28 January 2026
Summary
CVE-2025-55292 is a high-severity Use of Less Trusted Source (CWE-348) vulnerability in Meshtastic Meshtastic Firmware. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerading (T1036); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-13 (Cryptographic Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires strong device identification and authentication using public keys instead of MAC-derived NodeIDs, directly preventing attackers from forging victim NodeInfo packets.
Mandates cryptographic protection for communications and node information, mitigating abuse of unencrypted HAM mode and ensuring PKC is used over shared channel keys.
Ensures timely remediation of flaws through firmware patching to version 2.7.6.834c3c5 or later, directly addressing the NodeID and NodeDB overwrite vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables node impersonation via forged packets (Masquerading) and forces downgrade to shared-key comms allowing interception (Adversary-in-the-Middle).
NVD Description
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM…
more
mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.
Deeper analysisAI
CVE-2025-55292 is a vulnerability in Meshtastic, an open source mesh networking solution. In the affected versions of Meshtastic firmware prior to 2.7.6.834c3c5, nodes are identified by a NodeID derived from the MAC address rather than their public key. This design flaw enables attackers to abuse the unencrypted HAM mode by forging a NodeInfo packet on behalf of a victim node, falsely advertising that HAM mode is enabled. Consequently, other nodes on the mesh accept this forged information, overwriting entries in their NodeDB.
An attacker with network access to the mesh can exploit this vulnerability without privileges. By forging and broadcasting a NodeInfo for the victim node claiming HAM mode activation, the attacker causes other nodes to update their NodeDB accordingly. This forces direct messages to the victim to use the shared channel key instead of public key cryptography (PKC), compromising confidentiality. Additionally, due to HAM mode's lack of authentication, the attacker can alter the victim's node details, such as full name or short code. The attack persists by regularly resending the forged NodeInfo, particularly after the victim broadcasts its legitimate one.
The Meshtastic firmware patch in version 2.7.6.834c3c5 addresses this issue, as detailed in the project's GitHub commit (e5e8683cdba133e726033101586c3235a8678893) and security advisory (GHSA-45vg-3f35-7ch2). Security practitioners should update to this version or later to mitigate the risk.
Details
- CWE(s)