Almost two weeks have passed since people started writing about a vulnerability in ESP32…

Almost two weeks have passed since the network started write about the vulnerability in ESP32 chips ( which, by the way, I use in small rovers ), and I just now decided to tell you about it. Why so long? Yes, because I didn’t want to just reprint the headlines and cause panic. I decided to dig as deep as possible and approach the analysis of all available information with a cool mind. Are you ready? Let's go 🥳

So, in early March, the Spanish security company Tarlogic Security published some rather alarming results your research at the conference RootedCON in Madrid. They discovered that the well-known ESP32 chip, which the Chinese company Espressif sells in huge quantities ( for a minute, there are already more than a billion worldwide ), contains as many as 29 hidden commands. The vulnerability has received an identifier CVE-2025-27840

Here I have given the commands for you:

0xFC01 – Read Memory
0xFC02 – Write Memory
0xFC03 – Remove NVDS parameter
0xFC05 – Get flash memory ID
0xFC06 – Erase Flash
0xFC07 – Write Flash
0xFC08 – Read Flash
0xFC09 – Read NVDS parameter
0xFC0A – Write NVDS parameter
0xFC0B – Enable/disable coexistence
0xFC0E – Send LMP packet
0xFC10 – Read kernel statistics
0xFC11 – Platform Reset
0xFC12 – Read memory information
0xFC30 – Read register
0xFC31 – Write to register
0xFC32 – Set MAC address
0xFC35 – Set the initial CRC value
0xFC36 – Disable LLCP processing
0xFC37 – RX counter reset
0xFC38 – Reset TX counter
0xFC39 – Read RF register
0xFC3A – Write RF register
0xFC3B – Set TX password
0xFC40 – Setting LE parameters
0xFC41 – Write LE standard values
0xFC42 – Enable pass-through LLCP mode
0xFC43 – Sending LLCP packet
0xFC44 – Disable LMP processing

These hidden commands literally allow you to directly control the controller's memory: read and write RAM, Flash memory, change the device's MAC address, and much more. Roughly speaking, these are built-in debugging functions, but since they were not documented anywhere and were not intended for public use, the researchers They immediately dubbed it a “backdoor.” Although the wording was later softened to “hidden commands”, the residue, as they say, remained 😅

The fun begins if the attacker gains at least some control over the device ( for example, through infected firmware or physical access via USB/UART). Then he can use these commands and, for example, spoof a Bluetooth device. That is, your phone will think that it is connecting to wireless headphones, but in reality it will not be them at all, but a specially “disguised” device of the attacker 😳

In Espressif ( ESP32 manufacturer ) a few days after the publication of the research they gave an official comment. They admitted that hidden commands existed, but said that there was no malicious intent in them, and in fact they were simply internal debugging functions. They say that they cannot be called remotely via Bluetooth, and there seems to be no real risk of “mass attacks from the air”. But just in case, they promised to fix the problem in the next patch and remove these commands from the firmware 🧠

The community's reaction was divided. Some began to accuse Espressif of negligence, while others, on the contrary, rushed to defend the company, arguing that other manufacturers have similar hidden functions. In his twitter ( I'm sorry, ix ) Xeno Kovah, well-known in cybersecurity circles, explained why this is not a “backdoor” after all, but all these news headlines turned out to be too loud

Be sure to keep an eye on software updates and install them as soon as they are released. For IoT developers, this is a signal of the need to strengthen control over the undocumented capabilities of their devices. 🧐

In short, although the news is unpleasant, there is no need to panic. Stay tuned for updates and be careful what you connect via Bluetooth and Wi-Fi ( and why )

Please take care of yourself and your devices ( and your loved ones ) ❤️

#information_security #Internet_of_things