Spanish researchers have uncovered 29 undocumented commands within the ESP32 microchip, manufactured by the Chinese company Espressif, which could be exploited for cyberattacks. This chip, widely deployed in Internet of Things (IoT) devices—ranging from smart locks to medical equipment—is embedded in over a billion devices worldwide.
The discovered commands enable attackers to impersonate trusted devices, gain unauthorized access to sensitive data, utilize the chip as a launchpad for attacks on other networked devices, and establish long-term persistence for malicious code. The research was conducted by specialists from Tarlogic Security and presented at the RootedCON conference in Madrid.
According to the researchers, interest in studying Bluetooth vulnerabilities has waned not due to increased protocol security but rather due to the lack of effective tools for conducting modern attacks. To address this, they developed a new USB-Bluetooth driver in C, independent of specific hardware and compatible across multiple platforms, allowing them to analyze the ESP32’s operation at a low level.
Using this tool, Tarlogic specialists discovered concealed commands within the ESP32 Bluetooth firmware (Opcode 0x3F) that grant low-level control over Bluetooth functions. These commands facilitate memory access (reading/writing RAM and Flash), MAC address spoofing to mimic other devices, and the injection of LMP/LLCP packets.
Researchers suggest that these commands function as a kind of “backdoor,” providing extensive control over device memory, enabling Bluetooth-based attacks, and allowing persistent control over the chip. If attackers obtain root access to a device or introduce malware via a firmware update, they could remotely exploit these hidden features for malicious purposes. In scenarios where physical access is possible through USB or UART, the threat becomes even more severe.
Experts warn that the ESP32 is one of the most prevalent solutions for enabling Wi-Fi and Bluetooth connectivity in IoT devices, making the risk of large-scale attacks substantial. The vulnerability has already been assigned the identifier CVE-2025-27840.
As of now, Espressif has not issued an official statement regarding the discovered issue. Meanwhile, the situation underscores a concerning trend—where billions of devices may be at risk due to obscure functionalities hidden within a single critical component of their architecture.
