CVE-2025-66409
📋 TL;DR
This vulnerability in ESP-IDF Bluetooth stack allows an attacker to trigger an out-of-bounds read by sending a malformed VENDOR DEPENDENT command when AVRCP is enabled on ESP32 devices. This could expose sensitive memory content or cause system instability. Affected users include anyone using ESP-IDF versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6 and earlier with Bluetooth enabled.
💻 Affected Systems
- Espressif ESP-IDF IoT Development Framework
📦 What is this software?
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
⚠️ Risk & Real-World Impact
Worst Case
Memory disclosure could expose cryptographic keys, authentication tokens, or other sensitive data stored in adjacent memory, potentially leading to complete device compromise.
Likely Case
System instability, crashes, or limited memory disclosure of non-sensitive data due to the constrained nature of IoT device memory.
If Mitigated
Minimal impact if Bluetooth is disabled or devices are not exposed to untrusted Bluetooth connections.
🎯 Exploit Status
Exploitation requires Bluetooth proximity and sending specially crafted VENDOR DEPENDENT commands to vulnerable devices.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commits 075ed218cadb8088155521cd8a795d8a626519fb, 2f788e59ee361eee230879ae2ec9cf5c893fe372, 798029129a71c802cff0e75eb59f902bca8f1946, 999710fccf95ae128fe51b5679d6b7c75c50d902, d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace
Vendor Advisory: https://github.com/espressif/esp-idf/security/advisories
Restart Required: Yes
Instructions:
1. Update ESP-IDF to latest version containing the fixes. 2. Rebuild and flash firmware to affected devices. 3. Restart devices to apply new firmware.
🔧 Temporary Workarounds
Disable AVRCP Bluetooth Profile
allDisable the Audio/Video Remote Control Profile in Bluetooth configuration to prevent exploitation.
Modify sdkconfig to set CONFIG_BT_AVRC_ENABLED=n
Disable Bluetooth Entirely
allCompletely disable Bluetooth functionality if not required for device operation.
Modify sdkconfig to set CONFIG_BT_ENABLED=n
🧯 If You Can't Patch
- Implement network segmentation to isolate Bluetooth-enabled devices from critical networks
- Deploy physical security controls to limit Bluetooth proximity to trusted areas only
🔍 How to Verify
Check if Vulnerable:
Check ESP-IDF version and verify AVRCP is enabled in sdkconfig (CONFIG_BT_AVRC_ENABLED=y).Check Version:
idf.py --versionVerify Fix Applied:
Verify ESP-IDF version includes the fix commits and rebuild firmware with updated components.📡 Detection & Monitoring
Log Indicators:
- Bluetooth stack crashes
- Memory access violation logs
- AVRCP protocol errors
Network Indicators:
- Unusual Bluetooth VENDOR DEPENDENT command patterns
- Multiple connection attempts from unknown Bluetooth devices
SIEM Query:
bluetooth AND (crash OR memory OR avrcp) AND esp32🔗 References
- https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb
- https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372
- https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946
- https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902
- https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace
- https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7
- https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96
