Home automation: ESPHome vulnerability allows full compromise
A vulnerability in ESPHome allows attackers to flash their own firmware, among other things. Updated software corrects this.
(Image: heise online/dmk)
A recently discovered vulnerability in the ESP-IDF platform of the ESPHome firmware base allows attackers to bypass authentication. This even allows them to install their firmware on vulnerable controllers.
ESPHome is a development system that allows microcontrollers to be easily integrated into home automation systems. Developers create firmware on this basis for controller boards with ESP32 microprocessors, for example, and program their own functions. ESPHome also provides useful functions such as over-the-air updates (OTA) so that programmers do not have to deal with them any further.
A new vulnerability entry from Monday of this week discusses the security gap in the firmware. The ESPHome developers state that the ESP-IDF platform's "web_server" authentication check is falsely passed if the client-side, Base64-encoded authorization value is empty or contains only part of the correct value. "This allows access to the 'web_server' functions (including OTA if enabled) without having any information about the correct username or password," the programmers explain (CVE-2025-57808 / no EUVD yet, CVSS 8.1, risk "high").
Unclear status of vulnerable ESPHome versions
According to the vulnerability entry, the bug was introduced with ESPHome 2025.8.0 – but the vulnerability reporter also claims to have verified the problem with ESPHome 2025.7.5. On Github , the reporter goes a little deeper into the details of the security problem. ESPHome 2025.8.1 or newer, however, seals the security leak. The current release is ESPHome 2025.8.2 from the weekend.
Videos by heise
Anyone using ESPHome-based firmwares on their Internet-of-Things devices should update to the latest firmware base. Due to the contradictions with the vulnerable versions, ESPHome versions before 2025.8.0 should also be updated to the new version.
In the middle of last year, updates for Home Assistant ensured that over-the-air updates with older ESPHome projects only resulted in error messages. This was because the "platform" parameter had to be passed for OTA updates, which was simply not specified in older projects.
(dmk)
