What is the CVSS score of CVE-2025-52464?

CVE-2025-52464 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of IoT are affected by CVE-2025-52464?

Meshtastic devices running versions 2.5.0 through 2.6.10 contain duplicated cryptographic keys due to manufacturing flaws and weak entropy initialization, potentially allowing attackers to decrypt…. A patch is available.

How to fix or mitigate CVE-2025-52464?

Within 24 hours: Identify all Meshtastic devices in your environment and document their firmware versions. Within 7 days: Upgrade all affected devices to version 2.6.12 or later, or perform complete device wipes as a temporary workaround if patching is not immediately possible. Within 30 days: Verify patch compliance across the entire device inventory and review message logs from affected devices for potential compromise during the vulnerable period.

IoT CVE-2025-52464

EUVD-2025-18918 HIGH

Insufficient Entropy (CWE-331)

2025-06-19 security-advisories@github.com

Information Disclosure IoT Meshtastic Firmware

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18918

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

Patch released

Mar 15, 2026 - 00:08 nvd

Patch available

CVE Published

Jun 19, 2025 - 16:15 nvd

HIGH 8.3

DescriptionNVD

Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those message could be captured and decrypted by an attacker that has compiled the list of compromised keys. This issue has been patched in version 2.6.11 where key generation is delayed til the first time the LoRa region is set, along with warning users when a compromised key is detected. Version 2.6.12 furthers this patch by automatically wiping known compromised keys when found. A workaround to this vulnerability involves users doing a complete device wipe to remove vendor-cloned keys.

AnalysisAI

A remote code execution vulnerability in versions from 2.5.0 to (CVSS 8.3). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. CVSS 8.3 indicates high severity. Affects versions from 2.5.0 to.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-52464 vulnerability details – vuln.today

Back