CVE-2026-25532 – This vulnerability in ESP-IDF's WPS Enrollee im... (How to Fix)

Q: What is the severity of CVE-2026-25532?

CVE-2026-25532 has a CVSS score of 6.3 (MEDIUM). This vulnerability in ESP-IDF's WPS Enrollee implementation allows integer underflow when processing malformed EAP-WSC packets with truncated payloads. An attacker can cause memory corruption by sending specially crafted packets, potentially leading to denial of service or remote code execution. Affected systems include IoT devices using ESP-IDF versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6.

📋 TL;DR

This vulnerability in ESP-IDF's WPS Enrollee implementation allows integer underflow when processing malformed EAP-WSC packets with truncated payloads. An attacker can cause memory corruption by sending specially crafted packets, potentially leading to denial of service or remote code execution. Affected systems include IoT devices using ESP-IDF versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6.

💻 Affected Systems

Products:

Espressif IoT Development Framework (ESP-IDF)

Versions: 5.5.2, 5.4.3, 5.3.4, 5.2.6, 5.1.6

Operating Systems: All platforms using ESP-IDF (embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when WPS Enrollee functionality is enabled

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or device becoming part of botnet

🟠

Likely Case

Denial of service causing device crashes or instability, potentially requiring physical reset

🟢

If Mitigated

Limited impact if network segmentation prevents attacker access to vulnerable devices

🌐 Internet-Facing: HIGH - IoT devices often directly internet-facing with WPS enabled

🏢 Internal Only: MEDIUM - Requires attacker to be on same network segment

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malformed EAP-WSC packets to vulnerable devices

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.3, 5.4.4, 5.3.5, 5.2.7, 5.1.7

Vendor Advisory: https://github.com/espressif/esp-idf/security/advisories

Restart Required: Yes

Instructions:

1. Update ESP-IDF to patched version using 'git checkout' to appropriate release tag. 2. Rebuild and flash firmware to affected devices. 3. Verify WPS functionality works correctly after update.

🔧 Temporary Workarounds

Disable WPS Enrollee

all

Disable WPS functionality in device configuration

# In sdkconfig: CONFIG_ESP_WIFI_ENABLE_WPS=n

Network Segmentation

all

Isolate vulnerable devices from untrusted networks

🧯 If You Can't Patch

Disable WPS functionality completely in device firmware
Implement network access controls to restrict who can send WPS packets to vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check ESP-IDF version in firmware or build configuration. Vulnerable if using affected versions with WPS enabled.

Check Version:

grep -r 'IDF_VER' build/config/sdkconfig.h or check ESP-IDF git tag

Verify Fix Applied:

Verify ESP-IDF version is 5.5.3, 5.4.4, 5.3.5, 5.2.7, or 5.1.7. Test WPS functionality to ensure it works without crashes.

📡 Detection & Monitoring

Log Indicators:

Device crashes or reboots during WPS operations
Memory corruption errors in system logs

Network Indicators:

Malformed EAP-WSC packets with truncated payloads
Unusual WPS traffic patterns

SIEM Query:

network.protocol:eap AND network.wps:true AND packet.size:<min_expected_size

📊 Metadata

CVE ID: CVE-2026-25532

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-191

Published: February 4, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25532, you might also want to check these: