CVE-2025-55292

Name of the Vulnerable Software and Affected Versions Meshtastic versions prior to 2.7.6.834c3c5

Description Meshtastic is a mesh networking solution where nodes are identified by their NodeID, derived from the MAC address, rather than their public key. This design flaw allows an attacker to forge NodeInfo on behalf of a victim node, specifically exploiting the HAM mode which lacks encryption. By advertising that HAM mode is enabled, an attacker can overwrite the NodeDB on other nodes in the mesh. This forces those nodes to use a shared channel key instead of the PKC for direct messages to the victim. Furthermore, the attacker can modify Node details such as the full name and short code, as HAM mode does not provide confidentiality or authentication. Maintaining the attack requires regularly resending the forged NodeInfo, particularly after the victim transmits their own information.

Recommendations Update to version 2.7.6.834c3c5 or later.