Critical cryptographic flaw in Meshtastic Mesh Networking platform exposes private communications

Meshtastic, an open-source mesh networking solution used for off-grid communication, has a critical security vulnerability, that allowed attackers to decrypt private messages and hijack remote administration of devices across.

Meshtastic is an open-source mesh networking project that enables long-range, off-grid communication between devices without relying on cellular towers, WiFi, or internet infrastructure. It's designed to create networks where devices can communicate directly with each other and relay messages through intermediate nodes to extend range and coverage. LoRa (Long Range) is a low-power, wide-area network (LPWAN) radio technology that forms the physical layer for Meshtastic communications. It's designed for Internet of Things (IoT) applications that need to send small amounts of data over long distances while consuming minimal power.

The vulnerability is tracked as CVE-2025-52464 (CVSS score 9.5) and is caused by two distinct but related issues in the cryptographic key generation and management process:

1. Hardware vendors were inadvertently shipping devices with identical public/private key pairs due to cloning during mass flashing procedures in the manufacturing process.
2. The Meshtastic implementation of the rweather/crypto library was failing to properly initialize the internal randomness pool on some platforms, leading to low-entropy key generation that could result in predictable or duplicated cryptographic keys.

When users with affected key pairs send Direct Messages, those communications can be captured and decrypted by attackers who have compiled lists of compromised keys. The remote administration feature is an additional threat - if a compromised key is added as a remote administrator, anyone with access to that private key can gain administrative control over mesh nodes. In more complex scenarios, attackers can determine the public key of authorized administrators and use compromised private keys to generate shared keys, enabling them to impersonate legitimate administrators and send unauthorized commands to remote nodes.

The flaws have been present since the introduction of Public Key Cryptography (PKC) for Direct Messages in firmware version 2.5.0, released in September 2024.

The vulnerability affects all Meshtastic devices running firmware versions greater than 2.5.0 that were manufactured and flashed by vendors before the implementation of the security fixes.

Meshtastic developers released firmware version 2.6.11 addressing both root causes of the vulnerability. The updated firmware delays key generation until users first set their LoRa region, effectively eliminating the vendor cloning issue that led to duplicate keys during manufacturing. The update also implements enhanced entropy collection by adding multiple sources of randomness to the cryptographic library initialization process. Additionally, version 2.6.11 includes compromised key detection capabilities that warn users when known vulnerable keys are identified on their devices.

An upcoming firmware release (version 2.6.12) will automatically detect and wipe compromised keys when found, providing additional automated protection against affected key pairs. 

Users are strongly advised to update their devices to firmware 2.6.11 or later and perform factory resets using the Meshtastic Command Line Interface with the command "meshtastic --factory-reset-device" to ensure removal of any potentially compromised keys.

For users requiring maximum security assurance, they should manually generate high-entropy keys using OpenSSL with the command "openssl genpkey -algorithm x25519 -outform DER | tail -c32 | base64".