Tarlogic discovers undocumented HCI commands in Espressif's ESP32 module

Cybersecurity researchers from Tarlogic presented their solution for auditing Bluetooth devices at RootedCON on 6 March. In this context, Tarlogic has detected 29 undocumented commands by the manufacturer Espressif in the ESP32 module, a microcontroller that enables Wifi and Bluetooth connectivity. The ESP32 is one of the most widely used models worldwide in IoT network environments and is present in millions of mass-market devices.

This type of Vendor-specific Commands can be used to read/write RAM and flash memory, as well as to send some types of low-level packets that cannot normally be sent from the Host, due to the characteristics of these Bluetooth devices. The existence of such commands does not present a security risk by itself, but they do reflect bad practice by the manufacturer, which makes it easier for a malicious actor to compromise the security of these devices.

Although there is no high risk, the vendor stated that it will share a software update to allow users to remove these debug commands.

The case has been registered as vulnerability CVE-2025-27840.