The ESP32 microchip, manufactured by Espressif and embedded in over a billion devices globally, has been found to contain undocumented commands. These commands could be exploited for cyberattacks, posing significant security risks.

Potential Threats from Undocumented Commands

These hidden commands enable malicious activities such as device spoofing, unauthorized data access, and network pivoting. They also have the potential to establish long-term persistence on affected devices.

Researchers from Tarlogic Security, Miguel Tarascó Acuña and Antonio Vázquez Blanco, unveiled these findings at the RootedCON conference in Madrid. Their research highlights the vulnerability of the ESP32, a chip widely used for Wi-Fi and Bluetooth connectivity in IoT devices.

Discovering the Vulnerability

Interest in Bluetooth security has diminished, not due to increased security, but because existing tools are outdated and incompatible with modern systems. Tarlogic developed a new cross-platform USB Bluetooth driver, enabling direct hardware access and revealing hidden vendor-specific commands in the ESP32 firmware.

  • 29 undocumented commands discovered, allowing memory manipulation and device impersonation.
  • Potential for LMP/LLCP packet injection and MAC address spoofing.
  • Issue tracked under CVE-2025-27840.

Implications and Risks

The undocumented commands could lead to malicious implementations at the OEM level and supply chain attacks. Remote exploitation might be feasible if attackers gain root access or deploy malicious firmware updates.

Physical access to the device's USB or UART interface presents a more realistic attack scenario. With control over the ESP32, attackers could hide advanced persistent threats (APTs) and execute Bluetooth or Wi-Fi attacks on other devices.

Espressif has yet to comment on these findings. For more detailed insights into zero-day vulnerabilities, visit our Research section.

The link has been copied!