CVE-2025-57808
Published: 02 September 2025
Summary
CVE-2025-57808 is a high-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Esphome Esphome Firmware. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
ESPHome version 2025.8.0 on the ESP-IDF platform contains an authentication bypass in its web_server component. The check incorrectly accepts an empty base64-encoded Authorization header value or any value that is a substring of the correct credential, granting access to all web_server endpoints without knowledge of the configured username or password.
An attacker on the adjacent network can reach the affected device and invoke any web_server functionality, including over-the-air firmware updates when that feature is enabled. The flaw requires no prior credentials and no user interaction, resulting in high impact to confidentiality and integrity.
The project has released version 2025.8.1 to correct the authentication logic. The accompanying GitHub security advisory GHSA-mxh2-ccgj-8635 and the referenced commit detail the patch and recommend immediate upgrade for any deployment still running 2025.8.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26385
Vulnerability details
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the…
more
correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in network-accessible web_server component directly enables exploitation of a vulnerable application for unauthorized access and potential code deployment via OTA.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of flaws, directly mitigating the authentication bypass by patching ESPHome to version 2025.8.1.
Enforces approved authorizations for access to system resources, directly countering the flawed web_server authentication logic that permitted bypass with empty or substring Authorization headers.
Mandates management and verification of authenticators, addressing improper server-side authentication checks on base64-encoded Authorization values.