MQTT Flaw Leads to Impersonation Attack Vulnerability in Meshtastic Firmware 2.5.18 and Lower

The Meshtastic mesh networking project has given thanks to developer Tilen Komel for the discovery of a security flaw in the firmware — allowing for a Meshtastic user to impersonate other users without authentication.

"Yesterday, my first CVE (CVE-2025-21608) was published by Meshtastic," Komel explains. "While doing security research for the class Security of Systems on UNI LJ FRI. I discovered a critical vulnerability in its firmware that allowed an attacker to bypass PKI [Public Key Infrastructure] and impersonate any user. The vulnerability was tested only for text messages, but it could also probably affect remote admin control."

The community-driven Meshtastic project turns low-cost microcontroller development boards and LoRa transceivers into nodes in a mesh-based long-range low-power wireless network — allowing nodes to send text chat messages, MQTT data messages, and location updates over extreme distances without, in many countries, the need for a radio license. The project includes the ability to encrypt data transferred over the network and a public key infrastructure to authenticate its users — and it's the latter feature that was found to be flawed.

Komel discovered that it's possible to create specially-crafted MQTT messages that are interpreted as direct text messages — which are then displayed as though they're messages from an attacker-chosen user without going through the usual authentication process.

"Thank you for helping make Meshtastic more secure," the Meshtastic maintainers told Komel in response to the developer's Mastodon post, following public disclosure of the flaw and the release of a fix in Meshtastic 2.5.19 — more information about which is available on the Meshtastic Firmware GitHub repository.