EXECUTIVE SUMMARY:
A critical vulnerability in Meshtastic, tracked as CVE-2025-24797 with a CVSS score of 9.4, enables unauthenticated remote code execution on devices running firmware versions below 2.6.2. The flaw stems from improper handling of malformed mesh packets with invalid Protocol Buffers data, leading to a buffer overflow during memory operations. This issue can be exploited without user interaction on any device broadcasting on the default mesh channel, and its impact is amplified across multi-hop networks. Researcher Alain Siegrist disclosed the flaw along with a proof-of-concept exploit, highlighting the simplicity of exploitation on embedded systems without memory protections. The vulnerability has been addressed in latest firmware version, and users are urged to update immediately.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: