29 Undocumented commands found in ESP-32 microcontrollers CVE-2025-27840
-
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
-
System shared this topic on
-
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
Seems more like a feature considering how ESP32s are used.
-
Seems more like a feature considering how ESP32s are used.
They are in a lot of IoT devices that are not hobby and dev related too. Like my folk's smoker grill has one that is also on a ridiculous AWS connection and designed to try and stay on 24/7 like proper stalkerware nonsense.
-
They are in a lot of IoT devices that are not hobby and dev related too. Like my folk's smoker grill has one that is also on a ridiculous AWS connection and designed to try and stay on 24/7 like proper stalkerware nonsense.
https://darkmentor.com/blog/esp32_non-backdoor/
There are a number of explanations for those Opcodes. Seems like quite a few knowledgeable peeps are wading in to explain what they think the researchers are seeing. The most open peer review ever!!
-
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
Not a backdoor, just undocumented commands on the hci. You would already need access to the device from the microcontroller side to leverage them. Also it's not uncommon for older devices like this to have undocumented commands
-
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
I don't see a spooky name and a logo; this is a dud.
-
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
The statement from Espressif:
-
System shared this topic on
