Skip to main content

CVE-2025-24798: CWE-617: Reachable Assertion in meshtastic firmware

Medium
VulnerabilityCVE-2025-24798cvecve-2025-24798cwe-617
Published: Thu Jul 10 2025 (07/10/2025, 21:22:30 UTC)
Source: CVE Database V5
Vendor/Project: meshtastic
Product: firmware

Description

Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2.

AI-Powered Analysis

AILast updated: 07/10/2025, 21:46:23 UTC

Technical Analysis

CVE-2025-24798 is a medium-severity vulnerability affecting Meshtastic firmware versions from 1.2.1 up to, but not including, 2.6.2. Meshtastic is an open-source mesh networking solution designed for decentralized communication, often used in low-power, long-range wireless networks. The vulnerability is classified as CWE-617 (Reachable Assertion), which means that an assertion in the code can be triggered by crafted input, leading to a crash or denial of service. Specifically, when a packet is sent to the routing module with the field 'want_response' set to true, the firmware crashes. This crash can cause a degradation of service for nodes within radio range of the malicious sender. Additionally, if MQTT downlink functionality is enabled, the attack can be conducted remotely via MQTT messages, expanding the attack surface beyond local wireless range. The vulnerability does not impact confidentiality or integrity directly but affects availability by causing nodes to crash and potentially disrupt mesh network operations. The issue was resolved in version 2.6.2 of the firmware. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is adjacent network (wireless or local network) with low attack complexity, no privileges or user interaction required, and the impact is limited to availability degradation only. No known exploits are reported in the wild as of the publication date.

Potential Impact

For European organizations utilizing Meshtastic-based mesh networks, particularly in critical communication scenarios such as emergency services, outdoor event coordination, or remote monitoring, this vulnerability poses a risk of service disruption. The crash induced by malicious packets can degrade network reliability and availability, potentially interrupting communication in areas relying on these mesh nodes. Organizations using MQTT downlink to manage or update nodes remotely face an increased risk, as attackers could exploit the vulnerability remotely without physical proximity. This could impact sectors such as public safety, environmental monitoring, and industrial IoT deployments where mesh networks are deployed for resilient communication. Although the vulnerability does not compromise data confidentiality or integrity, the denial of service effect could hinder operational continuity and emergency responsiveness. The medium severity rating indicates a moderate risk level, but the impact could be significant in environments where mesh network availability is critical.

Mitigation Recommendations

European organizations should promptly upgrade all Meshtastic firmware instances to version 2.6.2 or later to eliminate the vulnerability. For deployments where immediate upgrade is not feasible, network administrators should implement filtering rules to block packets with the 'want_response' flag set to true at the network edge or routing module level, if possible. Disabling MQTT downlink functionality temporarily can reduce the attack surface for remote exploitation. Additionally, monitoring mesh network nodes for unexpected crashes or service degradation can help detect exploitation attempts early. Organizations should also segment mesh network management traffic from other network segments to limit exposure. Implementing anomaly detection on MQTT traffic and wireless packets can provide early warning of malicious activity. Finally, incorporating redundancy in mesh network design can mitigate the impact of individual node crashes by maintaining alternative communication paths.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-01-23T17:11:35.838Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6870311ba83201eaacaa0c10

Added to database: 7/10/2025, 9:31:07 PM

Last enriched: 7/10/2025, 9:46:23 PM

Last updated: 7/10/2025, 9:46:23 PM

Views: 2

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats