Espressif ESP32 Undocumented Commands

Tarlogic Security's Innovation team presented research at RootedCON that shared their discovery of undocumented commands within the ESP32 microchip.

Who is Impacted:

The Espressif ESP32 is a widely-used microcontroller that enables Wi-Fi and Bluetooth system-on-a-chip (SoC). As such, it is abundant in Internet-of-Things (IoT) devices including, but not limited to, smart home devices, environmental sensors, light appliances, and thermostats. Additionally, it may be used for Wireless communication in order to create remote control systems, mesh networks, and wearable devices such as fitness trackers or smartwatches due to its compactness and low power consumption.

Details of the Vulnerability:

Espressif ESP32 chips allow 29 proprietary Host Controller Interface (HCI) commands, such as 0xFC02 (Write memory). The usage of these commands may facilitate supply chain attacks if threat actors attempt to abuse these hidden features.

TL;DR of Exploitation Method:

The undocumented commands allow for potential memory manipulation for reading and writing, MAC address spoofing, and LMP/LLCP packet injection. Devices with Bluetooth stacks that can parse these HCI commands would be able to fully controlled over Wi-Fi and Bluetooth, while the commands enabling RAM/Flash modification would facilitate persistence within the memory of the SoC.

According to researcher Pascal Gujer, this vulnerability would have more post-exploitation implications given that these HCI commands have the following limitations:

- Not remotely exploitable via Bluetooth

- Not an OTA attack

- Requires wired HCI access

- Requires high privileges

Remediations:

Provided that this vulnerability stems from OEM Bluetooth firmware implementation, the millions of devices that contain this ESP32 chip will remain susceptible unless a firmware update is made available.

Additional Information:

Tarlogic Security developed a free utility named UsbBluetooth (https://github.com/antoniovazquezblanco/usbbluetooth ), a hardware-independent LibUSB based driver, to allow for the development of tests and attacks for conducting Bluetooth security audits using Windows, Linux, or Mac systems. On a Windows system, the application Zadig https://zadig.akeo.ie/ would allow you to load this custom driver for effortless installation. The bindings present in the C library project would allow for extensibility with other languages, such as Python and C#.

Scapy UsbBluetooth (https://github.com/antoniovazquezblanco/scapy-usbbluetooth ) can also be used to communicate with Bluetooth controllers.

Below are memory maps that showcases the ESP32 composition of internal memory locations and cache address space.

References:

https://nvd.nist.gov/vuln/detail/CVE-2025-27840

https://github.com/TarlogicSecurity/Talks/blob/main/2025_RootedCon_BluetoothTools.pdf

https://github.com/antoniovazquezblanco/usbbluetooth

https://github.com/antoniovazquezblanco/scapy-usbbluetooth

https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/

https://www.deepseadev.com/en/blog/esp32-chip-explained-and-advantages/

https://docs.espressif.com/projects/esp-hardware-design-guidelines/en/latest/esp32/pcb-layout-design.html

https://developer.espressif.com/blog/esp32-memory-map-101/