CVE-2025-27840

MEDIUM

Espressif ESP32 Firmware - Hidden Functionality via Undocumented HCI Commands

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-27840. PoCs published by demining, em0gi, ladyg00se.

AI-analyzed exploit summary The repository discusses CVE-2025-27840, a vulnerability in ESP32 microcontrollers affecting Bitcoin wallet security via Bluetooth/Wi-Fi. It outlines multiple cryptographic flaws in key validation, signature forgery, and PRNG weaknesses but lacks executable exploit code.

Description

Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).

Exploits (3)

nomisec WRITEUP 11 stars
by demining · poc
https://github.com/demining/Bluetooth-Attacks-CVE-2025-27840

The repository discusses CVE-2025-27840, a vulnerability in ESP32 microcontrollers affecting Bitcoin wallet security via Bluetooth/Wi-Fi. It outlines multiple cryptographic flaws in key validation, signature forgery, and PRNG weaknesses but lacks executable exploit code.

Classification
Writeup 80%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: ESP32 microcontrollers (unspecified version)
No auth needed
Prerequisites: Physical/proximity access to ESP32 device · Vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 10 stars
by em0gi · poc
https://github.com/em0gi/CVE-2025-27840

This script enumerates vendor-specific Bluetooth HCI commands by sending crafted packets to a USB-connected ESP32 device. It does not exploit a vulnerability but scans for potential command support.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ESP32 Bluetooth HCI interface
No auth needed
Prerequisites: ESP32 device connected via USB in HCI mode · Python with PySerial and PyBluetooth libraries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by ladyg00se · poc
https://github.com/ladyg00se/CVE-2025-27840-WIP

This repository contains a writeup for CVE-2025-27840, detailing a medium-severity vulnerability in Espressif ESP32 Bluetooth chips involving undocumented HCI commands. It describes technical details, risks, and mitigation strategies but does not include exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Espressif ESP32 firmware version 2025-03-06
Auth required
Prerequisites: physical access or privileged rights
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Exploit, Technical Description, Third Party Advisory
https://darkmentor.com/blog/esp32_non-backdoor/
Technical Description, Third Party Advisory
https://flyingpenguin.com/?p=67838

Scores

CVSS v3 6.8
EPSS 0.0126
EPSS Percentile 65.6%
Attack Vector PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-912
Status published
Products (1)
espressif/esp32_firmware
Published Mar 08, 2025
Tracked Since Feb 18, 2026