How to fix CVE-2025-55292?

Within 24 hours: Inventory all Meshtastic deployments and assess criticality of affected systems. Within 7 days: Apply available vendor patch to all Meshtastic instances, prioritizing production and mission-critical networks. Within 30 days: Validate patch deployment across all systems, conduct post-patch security testing, and document remediation completion.

Is Meshtastic Firmware affected by CVE-2025-55292?

CVE-2025-55292 affects Meshtastic mesh networking deployments where node identification relies on MAC addresses rather than cryptographic keys, enabling potential node spoofing and unauthorized network access.

CVE-2025-55292

HIGH

2026-01-28 [email protected]

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Mar 02, 2026 - 21:17 vuln.today

Public exploit code

Patch Released

Mar 02, 2026 - 21:17 nvd

Patch available

CVE Published

Jan 28, 2026 - 00:15 nvd

HIGH 8.2

Description

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

Analysis

Technical Context

Affects Meshtastic Firmware. Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and o

Affected Products

Vendor: Meshtastic. Product: Meshtastic Firmware.

Remediation

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: +20

CVE-2025-55292 vulnerability details – vuln.today

Back

CVE-2025-55292

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-55292

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code