A newly discovered vulnerability in Espressif’s widely used ESP32 Bluetooth chips, identified as CVE-2025-27840, has raised security concerns across the IoT industry. The flaw stems from 29 undocumented commands within the chip’s Bluetooth Host Controller Interface (HCI), which could enable attackers to spoof trusted devices, access data without authorisation, pivot to other devices and establish long-term persistence.
With a CVSS score of 6.8, the risk is categorised as “medium,” but given the vast number of devices using the ESP32 chip, ranging from smart home gadgets to medical equipment, the potential impact is substantial. Exploiting this flaw generally requires physical access to a device’s USB or UART interface, somewhat limiting the attack scope. However, attackers could still conduct impersonation attacks, bypass security audits, and permanently compromise sensitive devices.
Espressif has acknowledged the issue and pledged to release a software patch while documenting all vendor-specific HCI commands to improve transparency. In the meantime, security experts recommend conducting audits, implementing additional safeguards, monitoring Bluetooth activity and staying updated on Espressif’s patches.