What is the CVSS score of CVE-2025-55293?

CVE-2025-55293 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Meshtastic Firmware are affected by CVE-2025-55293?

Organizations using Meshtastic face critical risk from CVE-2025-55293, a improper authentication vulnerability rated CVSS 9.4.. A patch is available.

How to fix or mitigate CVE-2025-55293?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.

Meshtastic Firmware CVE-2025-55293

CRITICAL

Improper Authentication (CWE-287)

2025-08-18 security-advisories@github.com

Authentication Bypass Meshtastic Firmware Suse

9.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.4 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

SUSE

CRITICAL

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:07 vuln.today

Patch released

Mar 28, 2026 - 19:07 nvd

Patch available

CVE Published

Aug 18, 2025 - 18:15 nvd

CRITICAL 9.4

DescriptionGitHub Advisory

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.

AnalysisAI

Meshtastic is an open source mesh networking solution. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3. Affected products include: Meshtastic Meshtastic Firmware.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

Vendor StatusVendor

SUSE

Severity: Critical

CVE-2025-55293 vulnerability details – vuln.today

Back

Meshtastic Firmware CVE-2025-55293

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code