CVE-2025-24797

CRITICAL

meshtastic_firmware < 2.6.2 - Unauthenticated Remote Code Execution via Invalid Protobuf Data

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-24797. PoCs published by Alainx277.

AI-analyzed exploit summary The repository contains a detailed writeup of CVE-2025-24797, describing a heap-buffer-overflow vulnerability in mesh packet handling due to improper validation of protobuf data, leading to potential remote code execution. The analysis includes an ASAN report and root cause explanation.

Description

Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2.

Exploits (1)

nomisec WRITEUP 2 stars

by Alainx277 · poc

https://github.com/Alainx277/CVE-2025-24797

View Code ZIP pw:eip

The repository contains a detailed writeup of CVE-2025-24797, describing a heap-buffer-overflow vulnerability in mesh packet handling due to improper validation of protobuf data, leading to potential remote code execution. The analysis includes an ASAN report and root cause explanation.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Meshtastic firmware (version not specified)

No auth needed

Prerequisites: Network access to target device · Target device rebroadcasts packets on default channel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/meshtastic/firmware/security/advisories/GHSA-33hw-xhfh-944r

Scores

CVSS v3 9.4

EPSS 0.0074

EPSS Percentile 49.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-119 CWE-122

Status published

Products (1)

meshtastic/meshtastic_firmware < 2.6.2

Published Apr 15, 2025

Tracked Since Feb 18, 2026