CVE-2025-52464 in Firmwareinfo

Summary

by MITRE • 06/19/2025

Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those message could be captured and decrypted by an attacker that has compiled the list of compromised keys. This issue has been patched in version 2.6.11 where key generation is delayed til the first time the LoRa region is set, along with warning users when a compromised key is detected. Version 2.6.12 furthers this patch by automatically wiping known compromised keys when found. A workaround to this vulnerability involves users doing a complete device wipe to remove vendor-cloned keys.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/09/2025

The vulnerability described in CVE-2025-52464 affects Meshtastic mesh networking solutions across versions 2.5.0 through 2.6.10, representing a critical cryptographic weakness that undermines the security foundation of affected devices. This issue stems from flawed key generation practices during the flashing process for multiple hardware vendors, resulting in the creation of duplicate public/private key pairs across different devices. The problem is particularly concerning because it affects the core cryptographic integrity of the mesh network, where each device relies on unique key pairs for secure communication and message encryption. The vulnerability demonstrates poor implementation of cryptographic key management practices and highlights the dangers of vendor-specific flashing procedures that do not properly isolate device identities.

The technical flaw manifests through two interconnected weaknesses that compound the security risk significantly. First, the duplicated keys occur during device provisioning when vendor-specific flashing procedures fail to generate unique cryptographic material for each device instance. Second, the Meshtastic firmware exhibits inadequate entropy initialization on certain platforms, leading to low-entropy key generation that makes cryptographic keys predictable and vulnerable to brute force attacks. This dual failure creates a scenario where attackers can compile lists of compromised key pairs and subsequently decrypt messages sent through the mesh network. The vulnerability directly relates to CWE-330, which addresses insufficient entropy in random number generation, and CWE-327, covering weak cryptographic algorithms and key generation practices. The issue particularly affects the confidentiality and integrity of Direct Messages transmitted within the mesh network, as these communications rely on the uniqueness and unpredictability of cryptographic keys for their security properties.

The operational impact of this vulnerability extends beyond individual device compromise to threaten the entire mesh network infrastructure, as compromised keys can be used to decrypt communications between multiple devices. Attackers who obtain the list of affected key pairs can perform passive eavesdropping on mesh network traffic, potentially accessing sensitive information transmitted through the network. This vulnerability particularly affects scenarios where users rely on the mesh network for secure communication in environments where adversaries might be present to collect and analyze network traffic. The attack surface is further expanded by the fact that the vulnerability affects multiple hardware vendors, meaning that a single compromised key list can potentially decrypt communications across different device types and manufacturers. This issue aligns with ATT&CK technique T1566, which covers credential harvesting through social engineering and network reconnaissance, and T1041, which addresses data compression and encryption bypass techniques.

The security patches implemented in versions 2.6.11 and 2.6.12 address the root causes through multiple defensive mechanisms that strengthen the cryptographic foundation of the mesh network. Version 2.6.11 introduces a critical change by delaying key generation until the first LoRa region setting, ensuring that each device generates unique keys based on its specific operational context rather than pre-defined vendor values. Additionally, the version includes user warnings when compromised keys are detected, providing visibility into potential security issues. Version 2.6.12 enhances this protection by automatically wiping known compromised keys when detected, preventing continued use of vulnerable cryptographic material. The recommended workaround of complete device wiping serves as an immediate mitigation strategy for users with affected devices, though it represents a more disruptive solution that requires users to reset their entire device configuration. The patch addresses fundamental cryptographic implementation issues and demonstrates proper security engineering practices by ensuring that key generation occurs at the appropriate time in the device lifecycle, when sufficient entropy and unique device context are available. This vulnerability highlights the importance of proper cryptographic key management and the dangers of vendor-specific provisioning processes that do not account for device uniqueness requirements.

Responsible

GitHub M

Reservation

06/17/2025

Disclosure

06/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00409

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!