CVE-2025-27840: Are our devices at risk?

[rjmunro]

https://nvd.nist.gov/vuln/detail/CVE-2025-27840 describes the existence of undocumented command on the ESP32 that potentially act as backdoors. There's an article here:
https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

[gfwilliams]

Just read the first paragraph of https://www.flyingpenguin.com/?p=67838 (first link from https://nvd.nist.gov/vuln/detail/CVE-2025-27840 )

There is no issue whatsoever - this is just undocumented functionality that's no use to external hackers. If you can run arbitrary code on the ESP32 then yes you can use them, but if a hacker can run arbitrary code then honestly you've got more to worry about than this!

IMO it just makes a mockery of the vulnerability reporting system (I can't believe the CVE even links to this post now!). It's extremely clickbait reporting by bleepingcomputer too - note if you look now they've had to remove the word 'backdoor' from the article.

[xyzzy42]

Indeed, if holes in the documentation are worth a CVE now, I can't even begin to count how many CVEs I've apparently found over the years!

If code running on the MCU can send a command to the virtual HCI to write flash, it could just as easily call esp_flash_write() and write to flash that way.

Even callings thse commands hidden seems a bit too much to me. They are using the vendor specific OGF 0x3f like they should. And they are in the controller's command table with all the rest of the commands. If someone wanted to have hidden HCI commands, then they'd do something like use the reserved mask bits of the "Set Event Mask" command to trigger a flash write if done in a certain combination.

[gfwilliams]

Espressif's response: https://www.espressif.com/en/news/response_esp32_bluetooth