CVE-2025-57808
📋 TL;DR
This authentication bypass vulnerability in ESPHome allows attackers to access web server functionality without valid credentials when they provide an empty or partial base64-encoded Authorization header. This affects ESPHome installations using the ESP-IDF platform with web server authentication enabled, potentially exposing OTA updates and other administrative functions to unauthorized access.
💻 Affected Systems
- ESPHome
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over ESPHome devices, can push malicious firmware via OTA updates, and potentially compromise the entire home automation network.
Likely Case
Unauthorized access to device configuration, status information, and potentially malicious firmware updates if OTA is enabled.
If Mitigated
Limited exposure if web server is disabled or devices are isolated from untrusted networks, with only authenticated users able to access administrative functions.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malformed Authorization headers. No authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.8.1
Vendor Advisory: https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635
Restart Required: Yes
Instructions:
1. Update ESPHome to version 2025.8.1 or later. 2. Rebuild and flash firmware to affected devices. 3. Restart devices to apply the updated firmware.
🔧 Temporary Workarounds
Disable web server
allTemporarily disable the ESPHome web server to prevent unauthorized access while planning permanent patching.
Edit ESPHome configuration to set 'web_server:' to 'false' or comment out web_server section
Network isolation
allIsolate ESPHome devices on a separate VLAN or network segment without internet access.
🧯 If You Can't Patch
- Disable OTA updates in ESPHome configuration to prevent firmware manipulation
- Implement network-level authentication (VPN, firewall rules) to restrict access to ESPHome devices
🔍 How to Verify
Check if Vulnerable:
Check ESPHome version in device configuration or via web interface. Version 2025.8.0 is vulnerable.Check Version:
Check ESPHome configuration file or web interface for version informationVerify Fix Applied:
Verify ESPHome version is 2025.8.1 or later. Test authentication by attempting to access web server with invalid credentials.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with empty Authorization headers
- Unauthorized access to /ota or other web server endpoints
Network Indicators:
- HTTP requests to ESPHome devices with malformed Authorization headers
- Unusual firmware update traffic
SIEM Query:
http.method:POST AND http.uri:"/ota" AND NOT http.auth:valid