Undocumented commands tear security hole in ESP32 Bluetooth

The cheap WLAN and Bluetooth chips from the manufacturer Espressif, ESP32, contain undocumented commands in the Bluetooth hardware communication in current firmware versions. This opens up a security gap through which attackers can infiltrate, say the discoverers of the gap. However, it is not as serious as it first appears – although billions of ESP32 ICs are already doing their job in the wild, for example in smart sockets, heating controllers and similar practical devices.

The vulnerability description is as follows: Espressif ESP32 ICs contain 29 hidden Bluetooth HCl commands, such as "0xFC02" – "Write memory" (CVE-2025-27840, CVSS 6.8, risk"medium"). The undocumented commands allow attackers to manipulate memory and even ultimately flash and thus take complete control.

The Bluetooth Host Controller Interface (HCI) defines the communication between the Bluetooth IC and the host system, as the name suggests. It is therefore not directly accessible over-the-air, for example via Bluetooth radio. It is communication that traditionally runs via UART or SPI protocols between the host system and the Bluetooth controller.

Presentation at Spanish IT security conference

The discoverers presented the discovery at the Spanish IT security conference rootedcon. They explained there that these commands can be used to spoof MAC addresses, among other things, so that devices can pretend to be other Bluetooth remote stations and thus connect to smartphones, for example. Unauthorized access to data is therefore conceivable. The possibility of write access also means that permanent intrusion is conceivable. However, this is only possible if access to a device with a vulnerable ESP32 IC has already been possible: for example, if access was gained with root rights, malware was installed or maliciously modified firmware was installed. However, these and more far-reaching malicious actions are already possible.

IT security researcher Pascal Gujer has already categorized the alarming reports on X: "Backdoor in ESP32? Not so fast. Yes, hidden HCI commands allow deep access to memory, flash and Bluetooth internals. But: Not remotely exploitable with Bluetooth, no over-the-air (OTA) attack, requires 'wired' HCI access, and requires elevated privileges on the controller. It is a post-exploitation tool, it is not an 'instant game over'. If an attacker already has control of a host device, you're already cooked anyway."

Remedy could be updated firmware. Espressif offers OEMs firmware source codes. For example, the so-called AT firmwares, which are also freely available online for hobbyists. However, this also makes it possible to create updated firmwares that need to be distributed to affected devices. However, as is usual with IoT devices, problems are to be expected – many manufacturers do not offer firmware updates. Installation can also prove difficult in many application scenarios. Anyone using ESP32-based IoT devices should therefore keep an eye on the manufacturer's website for possible updates; it may also help to ask the manufacturer if and when they provide updates.

(dmk)