Bluetooth firmware vulnerabilities found in ESP32 microcontroller

Researchers have found 29 undocumented commands in the Bluetooth firmware of the ESP32 microcontroller, a widely used chip made by Espressif Systems. These commands could allow unauthorized modifications and potential security risks in various devices, including IoT applications. Initially labeled as a "backdoor," the cybersecurity firm Tarlogic later clarified that these are "hidden features" that enable operations like reading and modifying memory. The commands could facilitate supply chain attacks and identity theft. The hidden commands are tracked as CVE-2025-27840, with a medium-severity risk assessment. Experts noted that exploiting these commands requires physical access to the device, limiting the immediate threat level.