Summary: A critical vulnerability (CVE-2025-24797) in the Meshtastic platform allows unauthenticated remote code execution due to improper handling of malformed mesh packets. The flaw, affecting devices running firmware versions prior to 2.6.2, has a CVSS score of 9.4 and poses significant security risks, particularly in outdoor and emergency communication scenarios. Users are urged to upgrade to version 2.6.2 to mitigate the risk of exploitation.
Affected: Meshtastic devices running firmware versions prior to 2.6.2
Keypoints :
- Vulnerability enables unauthenticated remote code execution via buffer overflow from malformed mesh packets.
- Attackers can exploit the issue without user interaction if the device is rebroadcasting packets on the default mesh channel.
- The flaw can allow multi-hop attacks, increasing the attack surface significantly.