CVE-2025-65825

Dec. 12, 2025, 3:18 p.m.

4.6
Medium

Description

The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network.

Product(s) Impacted

Product Versions
meatmeet_firmware
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-311
Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.

References

https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-flash-encryption-disabled-md
https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Flash-Encryption-Disabled.md

Tags

[email protected]
CWE-311
2025-12-10
CVE-2025-65825

CVSS Score

4.6 / 10

CVSS Data - 3.1

  • Attack Vector: PHYSICAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Dec. 10, 2025, 9:16 p.m.
Last Modified: Dec. 12, 2025, 3:18 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.