CVE-2019-12587

HIGH

Espressif ESP-IDF 2.0.0-4.0.0 & ESP8266_NONOS_SDK 2.2.0-3.1.0 - Broken Cryptographic Algorithm via Zero PMK

Title source: llm
STIX 2.1

Description

The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point.

References (3)

Core 3
Core References
Product x_refsource_misc
https://github.com/espressif
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks
Patch, Third Party Advisory x_refsource_misc
https://matheus-garbelini.github.io/home/post/zero-pmk-installation/

Scores

CVSS v3 8.1
EPSS 0.0080
EPSS Percentile 51.8%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-327
Status published
Products (2)
espressif/esp-idf 2.0.0 - 4.0.0
espressif/esp8266_nonos_sdk 2.2.0 - 3.1.0
Published Sep 04, 2019
Tracked Since Feb 18, 2026