Meatmeet Pro Thermometer CVE-2025-65828
MEDIUMSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BLE proximity mandates AV:A; no auth required (PR:N); only availability disrupted with no confidentiality or integrity impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. These commands include: shutdown, restart, clear config. Clear config would disassociate the current device from its user and would require re-configuration to re-enable the device. As a result, the end user would be unable to receive updates from the Meatmeet base station which communicates with the cloud services until the device had been fixed or turned back on.
AnalysisAI
Unauthenticated Bluetooth Low Energy (BLE) command execution against the Meatmeet Pro WiFi & Bluetooth Meat Thermometer firmware 1.0.34.4 allows any proximity attacker to issue shutdown, restart, or factory-reset commands without credentials, resulting in a denial of service. The clear-config command is particularly disruptive: it dissociates the device from its owner account, severing the connection to the Meatmeet cloud backend and requiring full device re-provisioning before temperature data can be received again. A public proof-of-concept is available via a GitHub gist, though EPSS sits at 0.27% (19th percentile), reflecting the niche consumer IoT footprint rather than low technical reproducibility.
Technical ContextAI
The affected component is the Meatmeet Pro WiFi & Bluetooth Meat Thermometer firmware at version 1.0.34.4 (CPE: cpe:2.3:o:meatmeet:meatmeet_pro_wifi_&_bluetooth_meat_thermometer_firmware:1.0.34.4). The device exposes a Bluetooth Low Energy (BLE) interface that accepts operational commands - including shutdown, restart, and clear config - without requiring any pairing PIN, bonding, or authentication handshake. CWE-306 (Missing Authentication for Critical Function) precisely captures the root cause: critical device-management functions are reachable over the BLE radio interface with no access control layer. BLE's default open-scanning model means any device within radio range can discover and interact with the thermometer's GATT service without prior pairing.
RemediationAI
No vendor-released patch has been identified at time of analysis. There is no publicly available vendor advisory or fixed firmware version in the referenced sources. As a compensating control, users should store the thermometer in a physically controlled environment to limit BLE adjacency exposure - BLE range is typically 10-100 meters, so indoor use in a home or restaurant reduces but does not eliminate proximity attack surface. Disabling BLE discovery when active pairing is not in progress (if the firmware supports such a mode) would reduce the attack window; however, it is not confirmed whether firmware 1.0.34.4 supports this. Users affected by a clear-config attack must re-pair and re-configure the device through the companion app to restore cloud connectivity. Users should monitor the Meatmeet product page and firmware update channels for a patched release that enforces BLE authentication or pairing requirements before accepting management commands.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today