Security researchers have uncovered several critical vulnerabilities in Espressif Systems’ ESP-IDF framework that could allow attackers to execute arbitrary code on ESP32 devices via Bluetooth interfaces.
The high-risk flaws, which affect ESP-IDF versions 5.0.7, 5.1.5, 5.2.3, and 5.3.1 (and likely others), have not been assigned official CVE identifiers.
These vulnerabilities specifically target the BluFi reference application, which is widely implemented across numerous projects for WiFi configuration.
Buffer Overflows in WiFi Credential Settings
The discovered flaws center around Espressif’s BluFi implementation, which allows users to configure ESP32 devices with WiFi network credentials over Bluetooth.
NCC Group identified multiple memory corruption vulnerabilities and cryptographic weaknesses in this reference application.
These vulnerabilities could be exploited to gain complete control of affected devices or extract sensitive information.
“An attacker can achieve arbitrary code execution on an ESP32 device via the Bluetooth interface, and/or discover secret information on the device or Bluetooth channel such as WiFi network credentials,” states NCC Group’s report.
The technical details involve buffer overflows in WiFi credential setting commands, enabling attackers to inject malicious code into the device’s memory:
The flaw lies in using the input buffer’s length (param->sta_ssid.ssid_len) rather than the destination buffer’s capacity (sizeof(sta_config.sta.ssid)) as the length parameter for strncpy.
These issues present a significant security risk as Espressif’s chips power millions of connected devices worldwide in smart homes, industrial systems, and various IoT applications.
Diffie-Hellman Key Negotiation Vulnerabilities
Another high-risk vulnerability exists in the Diffie-Hellman key negotiation process.
The BluFi implementation hard-codes its public key buffer to 128 bytes (1024 bits) but fails to validate that received parameters match this constraint:
This allows attackers to specify a larger modulus, triggering buffer overflow when calculating a public key.
The BluFi secure key exchange process lacks proper authentication, making it vulnerable to Man-in-the-Middle attacks. Without authenticated pairing:
- Clients cannot verify they’re connecting to legitimate ESP32 devices
- Attackers can establish separate connections with real target devices
- Sensitive information like WiFi credentials can be intercepted and decrypted
Mitigations
Patches addressing the memory corruption issues are now available in multiple branches of the official esp-idf repository.
Key commit hashes include 3fc6c93936077cb1659e1f0e0268e62cf6423e9d (master branch), f40aa9c587a8e570dfde2e6330382dcd170d5a5d (v5.3), bf50c0c197af30990026c8f8286298d2aa5a3c99 (v5.2), and others across various versions.
Security experts strongly recommend that all ESP32 developers and users immediately update their ESP-IDF frameworks to the patched versions.
Organizations utilizing ESP32 devices in production environments should conduct thorough security audits to identify potential exposures, particularly in applications implementing the BluFi interface.
Implementing additional security controls where possible can help mitigate potential exploitation while updates are being deployed.
As IoT adoption continues to accelerate across industries, vulnerabilities in widely used platforms like ESP-IDF present escalating risks to connected ecosystems.
Developers and users of Espressif products should remain vigilant about security updates and implement proper security controls to protect their devices and data.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
