CVE-2025-57808

HIGH NUCLEI

ESPHome < 2025.8.1 - Unauthenticated Authentication Bypass via Empty or Substring Authorization Header

Title source: llm

Exploitation Summary

CVE-2025-57808 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Nuclei Templates (1)

ESPHome - Authentication Bypass

HIGHVERIFIEDby sean-kim

Shodan: http.title:"ESPHome"

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635

Patch x_refsource_misc

https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0151

EPSS Percentile 71.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-303

Status published

Products (2)

esphome/esphome_firmware 2025.8.0

pypi/esphome 0 - 2025.8.1PyPI

Published Sep 02, 2025

Tracked Since Feb 18, 2026