A critical vulnerability has been identified in Meshtastic, an open-source mesh networking solution, which could allow a remote attacker to impersonate trusted devices within the network. By sending a specially crafted sequence of messages, an attacker can overwrite a legitimate device's cryptographic key, enabling them to intercept data, inject malicious messages, and disrupt network operations. Due to the high severity of this flaw, immediate patching is required to protect the integrity and confidentiality of the mesh network.

The vulnerability exists in the handling of NodeInfo packets. An unauthenticated attacker on the mesh network can exploit this by first sending a NodeInfo packet with an empty publicKey field for a target node. This initial packet bypasses security checks that would normally prevent key overwrites. The attacker can then immediately follow up with a second NodeInfo packet containing a new public key under their control, which the victim's peers will accept as a valid update, effectively allowing the attacker to impersonate the target node.

This vulnerability is rated as critical severity with a CVSS score of 9.4. Successful exploitation could have a severe impact on business operations that rely on the Meshtastic network for communication or data transfer. An attacker could perform man-in-the-middle (MITM) attacks to intercept or alter sensitive communications, impersonate critical nodes to issue fraudulent commands, or cause a denial-of-service condition by disrupting network trust and routing. This compromises the confidentiality, integrity, and availability of the entire mesh network, posing a significant risk to operational security and data privacy.

Immediate Action: Immediately update all Meshtastic devices and products to version 2.6.3 or later. This version contains the necessary patch to validate NodeInfo packets correctly and prevent the key overwrite attack. After patching, monitor network logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic for unusual NodeInfo update patterns. Specifically, look for logs or alerts indicating a node first broadcasting an empty public key and then immediately broadcasting a new, different key. System administrators should also monitor for unexpected changes in the public keys associated with known node IDs.

Compensating Controls: If immediate patching is not feasible, consider implementing network segmentation to isolate highly sensitive devices from the rest of the mesh network. Enforce physical security for all nodes to prevent unauthorized access. For highly sensitive data, implement an additional layer of end-to-end application-level encryption on top of the standard Meshtastic encryption.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the potential for complete network compromise, we strongly recommend that organizations treat this vulnerability with the highest priority. All affected Meshtastic devices must be updated to a patched version immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants urgent attention to prevent potential impersonation, data interception, and network disruption.