The widely used ESP32 microchip, manufactured by Chinese company Espressif and embedded in over a billion devices as of 2023, has been found to contain undocumented commands that could be exploited for cyberattacks.

These hidden commands enable threat actors to spoof trusted devices, gain unauthorized access to sensitive data, pivot within a network, and establish persistent control over affected systems.

Spanish cybersecurity experts Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security uncovered these vulnerabilities and presented their findings at RootedCON in Madrid.

"Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," the company stated in an announcement shared with BleepingComputer.

"Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks, or medical equipment by bypassing code audit controls."

The researchers highlighted that ESP32 is one of the most commonly used chips for Wi-Fi and Bluetooth connectivity in IoT devices, making the potential impact significant. They noted that while interest in Bluetooth security research has declined, this is not due to increased security but rather the lack of effective tools and updated research methodologies.

To address this gap, Tarlogic developed a C-based, cross-platform USB Bluetooth driver that bypasses OS-specific APIs, providing direct hardware access. Using this tool, they discovered 29 undocumented vendor-specific commands (Opcode 0x3F) embedded in the ESP32 Bluetooth firmware. These commands facilitate low-level control over Bluetooth functionality, including RAM and Flash memory manipulation, MAC address spoofing, and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, raising concerns about whether they were intentionally left accessible or unintentionally exposed. The vulnerability has now been assigned CVE-2025-27840.

Potential risks include supply chain attacks and unauthorized firmware modifications at the OEM level. Depending on how Bluetooth stacks handle HCI commands, remote exploitation could be possible through malicious firmware or rogue Bluetooth connections. However, the most realistic attack scenario would involve an attacker gaining physical access to a device via its USB or UART interface.

"In a context where you can compromise an IoT device with an ESP32, you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices while controlling the device over Wi-Fi/Bluetooth," the researchers told BleepingComputer.

"Our findings would allow for complete control over ESP32 chips and the ability to establish persistence via commands that modify RAM and Flash."

"Also, with persistence in the chip, it may be possible to spread to other devices because the ESP32 allows for the execution of advanced Bluetooth attacks."

BleepingComputer reached out to Espressif for a statement, and while an immediate response was unavailable, the company later issued a clarification on March 10, 2025.

Espressif acknowledged the existence of the undocumented commands, stating they were intended as debug tools for internal testing.

"The functionality found are debug commands included for testing purposes," reads Espressif’s statement.

"These debug commands are part of Espressif’s implementation of the HCI (Host Controller Interface) protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers."

Despite downplaying the security risks, Espressif assured that the debug commands would be removed in an upcoming software update.

"While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands," the statement concluded.