Researchers from Tarlogic Security have identified 29 undocumented commands within Espressif’s ESP32 microcontroller, a chip embedded in over a billion devices globally (via Bleeping Computer).
These hidden commands, discovered during a presentation at RootedCON in Madrid, could potentially be exploited to manipulate device memory, impersonate devices, and bypass security protocols.
The ESP32 chip, known for enabling Wi-Fi and Bluetooth connectivity, is widely integrated into various Internet of Things (IoT) devices, including smartphones, computers, smart locks, and medical equipment. Its affordability and versatility have contributed to its extensive adoption across consumer and industrial applications.
The Tarlogic researchers developed a cross-platform USB Bluetooth driver that allowed them to access raw Bluetooth traffic, leading to the discovery of these hidden vendor-specific commands. These commands enable low-level control over Bluetooth functions, such as memory manipulation, MAC address spoofing, and LMP and LLCP packet injection.
The presence of these undocumented commands raises concerns about potential security risks, including unauthorized data access and the possibility of attackers establishing long-term persistence on affected devices. Such vulnerabilities could be exploited to conduct impersonation attacks and infect sensitive devices.
In response to these findings, Espressif issued a statement clarifying that the undocumented commands are internal debug commands intended for testing purposes and are not accessible remotely.
While the Chinese chip maker emphasized that these commands do not pose a security risk to ESP32 chips under normal circumstances, it acknowledged the concerns and committed to providing a software update to remove these undocumented commands in future releases.
The issue has been assigned the identifier CVE-2025-27840 by the National Vulnerability Database (NVD).
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
