CVE-2025-55293 is a critical improper authentication vulnerability (CWE-287) found in the Meshtastic firmware versions prior to 2.6.3. Meshtastic is an open-source mesh networking solution that enables decentralized communication between devices. The vulnerability arises from flawed handling of the NodeInfo public key updates. Specifically, an attacker can first send a NodeInfo message with an empty publicKey, which bypasses the check 'if (p.public_key.size > 0)' and clears the existing publicKey for a known node by resetting its size to zero. Subsequently, the attacker sends a new NodeInfo message with a malicious publicKey. This second message bypasses the check 'if (info->user.public_key.size > 0)' because the size was reset, allowing the malicious key to be stored in the NodeDB. This sequence effectively allows an attacker to overwrite the legitimate public key of a node with a malicious one without authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 9.4 (critical), reflecting its high impact and ease of exploitation over the network without privileges or user interaction. The impact includes full compromise of confidentiality and integrity of mesh communications, as the attacker can impersonate nodes, intercept, modify, or inject messages, and potentially disrupt network availability. The vulnerability was fixed in Meshtastic firmware version 2.6.3.

For European organizations using Meshtastic mesh networking devices, this vulnerability poses a significant risk. The ability to overwrite node public keys without authentication allows attackers to impersonate legitimate nodes, intercept sensitive communications, and manipulate data integrity within the mesh network. This could lead to unauthorized data disclosure, disruption of critical communications, and potential sabotage of network operations. Organizations relying on Meshtastic for secure communications in sectors such as emergency services, outdoor activities, or industrial IoT could face operational disruptions and data breaches. Given the critical severity and network-level exploitability, the threat is especially concerning for organizations operating in environments where mesh networking is integral to communication infrastructure.

European organizations should immediately upgrade all Meshtastic devices to firmware version 2.6.3 or later, where this vulnerability is patched. In addition to patching, organizations should implement strict network segmentation to isolate mesh networks from broader enterprise networks, limiting exposure. Monitoring network traffic for anomalous NodeInfo messages, especially those with empty or suspicious public keys, can help detect exploitation attempts. Employing cryptographic validation and integrity checks on NodeInfo updates beyond the firmware's built-in checks can add an additional layer of defense. Organizations should also maintain an inventory of all Meshtastic devices and enforce strict access controls to prevent unauthorized device configuration or message injection. Finally, educating users and administrators about this vulnerability and the importance of timely updates is critical to reduce risk.