What is the CVSS score of CVE-2025-55292?

CVE-2025-55292 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Meshtastic Firmware are affected by CVE-2025-55292?

CVE-2025-55292 affects Meshtastic mesh networking deployments where node identification relies on MAC addresses rather than cryptographic keys, enabling potential node spoofing and unauthorized…. A patch is available.

Is there a public PoC exploit available for CVE-2025-55292?

Yes, a public proof-of-concept exploit is available for CVE-2025-55292. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-55292?

Within 24 hours: Inventory all Meshtastic deployments and assess criticality of affected systems. Within 7 days: Apply available vendor patch to all Meshtastic instances, prioritizing production and mission-critical networks. Within 30 days: Validate patch deployment across all systems, conduct post-patch security testing, and document remediation completion.

Meshtastic Firmware CVE-2025-55292

HIGH

Use of Less Trusted Source (CWE-348)

2026-01-28 security-advisories@github.com

Information Disclosure Meshtastic Firmware

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Mar 02, 2026 - 21:17 vuln.today

Public exploit code

Patch released

Mar 02, 2026 - 21:17 nvd

Patch available

CVE Published

Jan 28, 2026 - 00:15 nvd

HIGH 8.2

DescriptionNVD

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

AnalysisAI

Technical ContextAI

Affects Meshtastic Firmware. Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and o

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-55292 vulnerability details – vuln.today

Back

Meshtastic Firmware CVE-2025-55292

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code