CVE-2025-53627

Name of the Vulnerable Software and Affected Versions Meshtastic versions 2.5 through 2.7.14

Description Meshtastic firmware, starting with version 2.5, implemented asymmetric encryption (PKI) for direct messages. However, when the pki encrypted flag is absent, the firmware reverts to legacy AES-256-CTR channel encryption without notifying the user. This creates a potential downgrade attack where an adversary with knowledge of a shared channel key can inject spoofed direct messages that appear as if they are PKI encrypted. User applications, including the Web app, iOS/Android app, and SDK-based applications, lack the ability to distinguish between PKI-encrypted and legacy-encrypted direct messages, undermining the security benefits of the PKI implementation. The pki encrypted flag is a parameter used to indicate whether a direct message has been encrypted with PKI.

Recommendations Update to version 2.7.15 or later.