Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-53627
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-29 Dec, 2025 | 17:15
Updated At-26 Feb, 2026 | 19:11

Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
meshtastic
meshtastic
>>meshtastic_firmware>>Versions from 2.5.0(inclusive) to 2.7.15(exclusive)
cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1287Primarysecurity-advisories@github.com
CWE ID: CWE-1287
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwfsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwf
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Change History
0Changes found
Details not found