CVE-2025-57808

HIGH NUCLEI

ESPHome <2025.8.0 - Auth Bypass

Title source: llm

Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Nuclei Templates (1)

ESPHome - Authentication Bypass

HIGHVERIFIEDby sean-kim

Shodan: http.title:"ESPHome"

References (2)

[Patch] https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635

Scores

CVSS v3 8.1

EPSS 0.0623

EPSS Percentile 90.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-303

Status published

Affected Products (2)

esphome/esphome_firmware

pypi/esphome < 2025.8.1PyPI

Timeline

Published Sep 02, 2025

Tracked Since Feb 18, 2026