Undocumented Commands Found in ESP32 Bluetooth Chip Used by Billions of Devices

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On March 7, 2025, Tarlogic Security researchers presented their findings at RootedCON, the largest Spanish-language cybersecurity conference. The presentation detailed the discovery of 29 hidden commands in the ESP32 chip's Bluetooth implementation that were not documented by manufacturer Espressif.

The research emerged from ongoing work by Tarlogic's Innovation Department on Bluetooth security. The team developed a new C-based USB Bluetooth driver called BluetoothUSB specifically to enable comprehensive security testing across different operating systems. During their analysis using the BSAM methodology, they identified the undocumented vendor-specific commands.

Espressif, headquartered in Shanghai, reported in 2023 that cumulative sales of the ESP32 chip had reached one billion units. The chip's low cost and integrated WiFi and Bluetooth capabilities have made it a popular choice for IoT device manufacturers worldwide.

The National Vulnerability Database assigned CVE-2025-27840 to track the issue. At the time of reporting, Espressif had not issued a public statement regarding the findings.

The Tarlogic researchers documented specific technical capabilities enabled by the undocumented commands:

Memory Access: The hidden commands allow reading and writing to both RAM and Flash memory on the ESP32 chip. According to the researchers, this capability could enable attackers to inject malicious code that persists across device reboots.

MAC Address Manipulation: The commands permit modification of the device's Bluetooth MAC address. The researchers stated this could facilitate device impersonation attacks where an attacker's device masquerades as a trusted peripheral.

Packet Injection: The undocumented functionality includes the ability to inject LMP and LLCP packets. These protocols handle Bluetooth link management and logical link control, and injection capabilities could enable various man-in-the-middle attack scenarios.

Opcode 0x3F: All 29 commands operate through vendor-specific HCI Opcode 0x3F, a mechanism that Bluetooth chip manufacturers can use to implement proprietary functionality. The commands were not included in Espressif's public documentation.

The researchers developed BluetoothUSB, a cross-platform driver released as free software, to enable the security testing that led to the discovery. The tool allows security audits of Bluetooth devices regardless of operating system.

Figure 2: How the authentication bypass vulnerability works

The disclosure creates several opportunities for the security community and device manufacturers:

Improved Audit Capabilities: The BluetoothUSB tool released alongside the research provides manufacturers and security professionals with new capabilities for testing Bluetooth implementations. The cross-platform nature of the tool addresses a gap in existing security testing infrastructure.

Supply Chain Awareness: The findings highlight the importance of security auditing for commodity components used across multiple product lines. Organizations deploying ESP32-based devices can now assess their exposure and implement appropriate mitigations.

Methodology Advancement: Tarlogic's BSAM framework, which guided the research, offers a systematic approach to Bluetooth security assessment that other researchers and organizations can adopt.

Vendor Accountability: Public disclosure of undocumented functionality creates pressure for chip manufacturers to provide complete documentation and security assessments of their products.

The discovery presents significant security concerns:

Scale of Exposure: With over one billion ESP32 units deployed globally, the potential attack surface is substantial. The chip appears in consumer electronics, industrial equipment, and medical devices, creating diverse risk scenarios.

Persistence Capability: The ability to write to flash memory means attackers could establish footholds that survive device reboots and potentially firmware updates, depending on implementation.

Detection Challenges: Undocumented commands operating at the chip level may evade security monitoring that focuses on higher-level protocols and application behavior.

Patch Complexity: Addressing the issue may require firmware updates to affected devices, many of which lack over-the-air update capabilities or are deployed in environments where updates are impractical.

Physical Access Requirements: The researchers noted that exploiting the commands typically requires either physical access to the device or prior compromise of a connected system. However, the persistence capabilities could extend the impact of initial compromises.

At the time of reporting, no evidence of active exploitation in the wild had been documented.

Figure 3: Privilege escalation from user to SYSTEM level

The ESP32 is a system-on-chip (SoC) that integrates WiFi and Bluetooth connectivity with a dual-core processor. Manufactured by Espressif, the chip handles wireless communication for the host device, managing protocol stacks and radio frequency operations.

Bluetooth communication between a host system and the ESP32 occurs through the Host Controller Interface (HCI), a standardized protocol that defines commands and events for Bluetooth operations. The HCI specification reserves certain opcode ranges for vendor-specific extensions, allowing chip manufacturers to implement proprietary functionality.

The undocumented commands discovered by Tarlogic operate through Opcode 0x3F, which falls within the vendor-specific range. When a host system sends these commands to the ESP32, the chip executes operations not described in public documentation, including direct memory access and packet manipulation.

Technical context (optional): The LMP (Link Manager Protocol) operates at the Bluetooth baseband layer, handling link setup, authentication, and encryption negotiation between devices. LLCP (Logical Link Control and Adaptation Protocol) manages logical channels over established links. Injection capabilities at these protocol layers could enable attacks that bypass higher-level security mechanisms.

The researchers developed their BluetoothUSB driver in C to provide low-level access to Bluetooth hardware across operating systems. Existing tools often depend on specific operating system Bluetooth stacks, limiting their utility for comprehensive security testing.

The ESP32 findings reflect broader challenges in IoT security and supply chain risk management:

Commodity Component Risk: The ESP32's popularity stems from its low cost and integrated functionality. The same factors that drive adoption also mean that vulnerabilities affect an exceptionally large number of products across multiple manufacturers and market segments.

Documentation Gaps: Undocumented functionality in widely deployed components raises questions about security review processes in the semiconductor industry. The discovery suggests that even popular, well-established chips may contain capabilities unknown to device manufacturers building products around them.

Bluetooth Security Landscape: The research adds to a growing body of work examining Bluetooth security. Previous studies have identified vulnerabilities in Bluetooth pairing, encryption, and protocol implementations across various chip vendors.

IoT Update Challenges: Many ESP32-based devices lack mechanisms for security updates, or are deployed in contexts where updates are impractical. The findings underscore ongoing challenges in maintaining security for resource-constrained and widely distributed IoT devices.

Several questions remained unanswered at the time of reporting:

Manufacturer Intent: Whether the undocumented commands represent intentional hidden functionality, debugging features inadvertently left in production firmware, or some other origin has not been established.

Espressif Response: The manufacturer had not issued a public statement regarding the findings or any planned remediation.

Exploitation Feasibility: While the researchers demonstrated the capabilities enabled by the commands, real-world exploitation scenarios and their practical requirements were still being assessed.

Affected Firmware Versions: The specific ESP32 firmware versions containing the undocumented commands, and whether any versions lack the functionality, had not been comprehensively documented.

Other Chip Variants: Whether similar undocumented functionality exists in other Espressif products or chips from other manufacturers remains an open question.

Several developments merit monitoring in the coming weeks:

Espressif Communications: Any official response from the manufacturer regarding the findings, including acknowledgment, technical details, or remediation plans.

CVE Updates: Additional technical details and severity scoring in the National Vulnerability Database entry for CVE-2025-27840.

Device Manufacturer Responses: Statements or security advisories from companies that incorporate ESP32 chips in their products.

Security Community Analysis: Independent verification and additional research from other security researchers examining the undocumented commands.

Exploitation Reports: Any reports of the vulnerability being exploited in real-world attacks.

1. BleepingComputer, "Undocumented commands found in Bluetooth chip used by a billion devices," March 8, 2025. https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

2. Tarlogic Security, "Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices," March 6, 2025. https://www.tarlogic.com/news/hidden-feature-esp32-chip-infect-ot-devices/

3. National Vulnerability Database, "CVE-2025-27840," March 2025. https://nvd.nist.gov/vuln/detail/CVE-2025-27840