How to fix EUVD-2025-18918?

Within 24 hours: Identify all Meshtastic devices in your environment and document their firmware versions. Within 7 days: Upgrade all affected devices to version 2.6.12 or later, or perform complete device wipes as a temporary workaround if patching is not immediately possible. Within 30 days: Verify patch compliance across the entire device inventory and review message logs from affected devices for potential compromise during the vulnerable period.

Is IoT affected by EUVD-2025-18918?

Meshtastic devices running versions 2.5.0 through 2.6.10 contain duplicated cryptographic keys due to manufacturing flaws and weak entropy initialization, potentially allowing attackers to decrypt direct messages if they obtain the compromised key list.

EUVD-2025-18918

| CVE-2025-52464 HIGH

2025-06-19 [email protected]

8.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18918

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

Patch Released

Mar 15, 2026 - 00:08 nvd

Patch available

CVE Published

Jun 19, 2025 - 16:15 nvd

HIGH 8.3

Description

Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation. When users with an affected key pair sent Direct Messages, those message could be captured and decrypted by an attacker that has compiled the list of compromised keys. This issue has been patched in version 2.6.11 where key generation is delayed til the first time the LoRa region is set, along with warning users when a compromised key is detected. Version 2.6.12 furthers this patch by automatically wiping known compromised keys when found. A workaround to this vulnerability involves users doing a complete device wipe to remove vendor-cloned keys.

Analysis

A remote code execution vulnerability in versions from 2.5.0 to (CVSS 8.3). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical Context

Vulnerability type: remote code execution. CVSS 8.3 indicates high severity. Affects versions from 2.5.0 to.

Affected Products

['versions from 2.5.0 to']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: 0

EUVD-2025-18918 vulnerability details – vuln.today

Back

EUVD-2025-18918

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18918

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code