Someone correct me if i’m wrong, but it looks like it’s not the big deal the original blog post makes it out to be.
To issue those undocumented HCI commands one either needs to hijack a computer/soc/mcu that is connected to an esp32 with HCI UART transport enabled or put malicious software on the esp itself.
The mac spoofing might be interesting for people building hacking tools, however.
Yeah, this is hyped for clicks. This requires the target device to already be paired and requires privileged access on the local system to install the custom driver. NVD rates the exploitability of CVE-2025-27840 as 0.3 out of 10.
At rough count I have 16 of those buggers. Appliances, switches, load meters, lights, etc. If I look harder, I’d probably find more. Yikes!
Gotta blame China to get upvoted on Lemmy.
Computers are what we’d get if Epimetheus stole something from the gods for us instead
While I have a few ESP32 in my collection, I am now happy that I chose a different platform for my project.
I wonder what people will say in Nürnberg next week at Embedded World.
