Security issue in current release - bluetooth affected by CVE-2025-27840

1

Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).

https://nvd.nist.gov/vuln/detail/CVE-2025-27840

Press release from Espressif: Espressif’s Response to Claimed Backdoor and Undocumented Commands in ESP32 Bluetooth Stack | Espressif Systems

Releasing new binaries build with latest ESP-IDF/ESP-AT is required to fix this issue to my understandings.

2

We are aware of this, please note this extract from Espressif Press Release:

  • No Remote Access: They cannot be triggered by Bluetooth, radio signals, or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices.
  • Security Impact: While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands.
  • Scope: If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE host, the aforementioned HCI commands are not exposed and there is no security threat.

Also this article is interesting:
https://www.flyingpenguin.com/?p=67838