dragosrCritical Meshtastic Vulnerability:
CVE-2025-52464: Meshtastic 2.5.0–2.6.10 shipped cloned or low-entropy X25519 keys via vendor pre-flash + weak RNG.
Collisions let attackers decrypt LoRa direct-msgs, replay/forge admin RPCs, hijack nodes; no forward secrecy, so old captures stay cleartext.
Firmware 2.6.11 defers key-gen, hardens entropy, flags compromised pairs.
Critical Meshtastic Flaw Allows Attackers to Decrypt Private Messages - Mander
Meshtastic developers released firmware version 2.6.11 with critical fixes: Key generation delay: Keys are now generated when users first set their LoRa region, preventing vendor-side duplication. Entropy improvements: Added multiple randomness sources to strengthen cryptographic initialization. Compromised key detection: Devices now warn users if known vulnerable keys are detected. An upcoming version (2.6.12) will automatically wipe compromised keys. For immediate protection, users should: Update devices to firmware 2.6.11 or later. Perform a factory reset using Meshtastic’s CLI: meshtastic –factory-reset-device. Manually generate high-entropy keys via OpenSSL for critical deployments.
Alexander 😷