CVE-2025-57808
Published: 02 September 2025
Summary
CVE-2025-57808 is a high-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Esphome Esphome Firmware. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws, directly mitigating the authentication bypass by patching ESPHome to version 2025.8.1.
Enforces approved authorizations for access to system resources, directly countering the flawed web_server authentication logic that permitted bypass with empty or substring Authorization headers.
Mandates management and verification of authenticators, addressing improper server-side authentication checks on base64-encoded Authorization values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in network-accessible web_server component directly enables exploitation of a vulnerable application for unauthorized access and potential code deployment via OTA.
NVD Description
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the…
more
correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
Deeper analysisAI
CVE-2025-57808 is a vulnerability in ESPHome version 2025.8.0 running on the ESP-IDF platform. ESPHome is a system for remotely controlling microcontrollers through home automation setups. The flaw resides in the web_server component's authentication mechanism, which incorrectly passes when the client-supplied base64-encoded Authorization header is empty or constitutes a substring of the correct value. This enables unauthorized access to web_server functionality, including over-the-air (OTA) updates if enabled, without any knowledge of the valid username or password. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-303.
An adjacent network attacker can exploit this issue with low attack complexity and no required privileges or user interaction. By crafting an HTTP request with an empty or partial substring Authorization header, the attacker bypasses authentication entirely. Exploitation yields high confidentiality and integrity impacts, granting full access to protected web_server endpoints and potentially allowing arbitrary code execution via OTA if that feature is active on the target device.
The vulnerability has been addressed in ESPHome version 2025.8.1. Official advisories and the patching commit are documented on the ESPHome GitHub repository, including GHSA-mxh2-ccgj-8635 and commit 2aceb56606ec8afec5f49c92e140c8050a6ccbe5. Security practitioners should prioritize updating affected installations to mitigate exposure.
Details
- CWE(s)