If you are looking for a cheap and efficient prototyping board to handle BLE communications, chances are you’ve heard of the ESP32. Often cheaper than Arduino, considerably faster than Arduino, and programmable by the Arduino IDE, they have everything a hobbyist would need. And not only hobbyists, while the DevKits are sold on many Maker sites, the chip itself is readily available and easy to integrate into projects.
Enter rootedcon, a Spanish IT security conference. We found out that ESP32 chips have “hidden” HCI commands. The text on NIST’s website states:
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
At first glance, this is critical. By issuing a command, we can access the memory. Secrets, keys, program execution… The list of potential weaknesses is long. The ESP32 series is designed and made by Espressif, a publicly listed Chinese company. Enter rumors of a back door to access hundreds of millions of systems.
Hang on. Not so fast. This is far from Espressif’s first disclosure of vulnerabilities. They have had a good track record up until now, and we also need to look a little closer at the vulnerability.
First of all, TinyROM is not a security consultancy company. We implement security, as all companies should, but we are not pen testers. The information listed here is our thoughts on what is going on. The official page for information remains NIST’s website, and the link is here: https://nvd.nist.gov/vuln/detail/CVE-2025-27840. At the time of writing, this vulnerability is still “undergoing analysis.”
What we do know is that the HCI commands, used to talk to Bluetooth devices and give instructions to the microcontroller, are not available over BLE itself. You can’t connect to the device remotely to execute HCI commands. That already eliminates a good portion of potential attacks.
HCI commands are standard, and 0xFC02 will be Write Memory for every manufacturer that implements that command. However, there is a special range, OGF 0x3F, allows vendors to create their own commands. In this field, Espressif seems to have 29 of them. Put simply, we don’t (yet) know what they do. That doesn’t necessarily mean that Espressif is trying to do anything tricky; all vendors have specific commands for their hardware.
I said earlier that these commands cannot be run through Bluetooth. You need to have physical access to a device to use the UART port. Physical access to a device could allow an attacker to read flash memory to extract keys or write code, but at this stage, we don’t know. Memory access isn’t as easy as some people think, and even with access to an HCI read command, that doesn’t mean that the function would be able to access protected memory.
Rumors of a backdoor seem pretty alarmist. It does look like this is just an undocumented command set. This is something that needs to be followed, but I don’t think we’ll be seeing hundreds of millions of compromised systems—not yet. We might see key leaks, though. Only time will tell. If you are using an ESP32, please watch the NIST page, or contact us to see what we can do.