CVE-2025-53540
HIGHespressif arduino-esp32 < 3.2.1 - Cross-Site Request Forgery via OTA Update Endpoint
Title source: llmDescription
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/espressif/arduino-esp32/security/advisories/GHSA-9vfw-wx65-c872
Scores
CVSS v4
8.7
EPSS
0.0030
EPSS Percentile
21.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (1)
espressif/arduino-esp32
< 3.2.1
Published
Jul 07, 2025
Tracked Since
Feb 18, 2026