Researchers from Tarlogic Security presented their findings at the Rootedcon conference. They analyzed the low-level filling of microchips esp32, which are equipped with built-in controllers for Wi-Fi and Bluetooth. According to a report from the Chinese company Espressif published in 2023, over a billion ESP32 chips have been sold worldwide. During their analysis of the firmware loaded on the chip, researchers discovered 29 undocumented Host Controller Interfaces (HCIs) intended for controlling the Bluetooth controller.
If there is a way to code in the device’s operating system, these identified HCI commands can provide access to the internal environment of the Bluetooth controller, where the firmware is executed. With these commands, attackers could access and write memory, modify flash memory, change MAC addresses, and manipulate Bluetooth traffic. Researchers pointed out that similar capabilities were described as a backdoor, but they believe it’s a result of low-level debugging commands. Mitre has classified the vulnerabilities under cve-2025-27840 with a severity level of 6.8 out of 10.
In practical terms, the discovered functionality allows attackers to access the Bluetooth controller at a low level, bypassing standard software interfaces. These commands could be used to manipulate Bluetooth traffic or introduce malware components into the ESP controller discreetly.
This embedded malicious software in the Bluetooth controller could be used to target Bluetooth devices, such as forcing a controlled device to connect to smartphones and computers, and executing control commands transmitted