CVE-2025-66409
Published: 02 December 2025
Summary
CVE-2025-66409 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Espressif Esp-Idf. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over Bluetooth (T1011.001); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information inputs such as the AVRCP VENDOR DEPENDENT command buffer length before memory access, directly preventing the out-of-bounds read vulnerability.
Implements memory protection mechanisms that restrict out-of-bounds reads in the Bluetooth stack, comprehensively mitigating exposure of unintended memory contents or crashes.
Mandates identification, reporting, and correction of flaws like this buffer validation issue via patching to the fixed ESF-IDF versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read enables memory leak (exfiltration over Bluetooth) and crash (endpoint DoS via application exploitation).
NVD Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to…
more
access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior.
Deeper analysisAI
CVE-2025-66409 is an out-of-bounds read vulnerability (CWE-125) in the Espressif IoT Development Framework (ESF-IDF), affecting versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier. The issue resides in the Bluetooth stack on ESP32 devices when AVRCP is enabled. It occurs when the stack processes a malformed VENDOR DEPENDENT command from a peer device, accessing memory before validating the command buffer length. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to high impacts on confidentiality and availability.
An attacker within Bluetooth range can exploit this vulnerability remotely without privileges or user interaction by sending a specially crafted VENDOR DEPENDENT command to a vulnerable ESP32 device with AVRCP enabled. Successful exploitation triggers an out-of-bounds read, potentially leaking sensitive memory contents or inducing unexpected behavior such as crashes or denial of service.
Mitigation requires updating to a patched version of ESF-IDF, as evidenced by fixes in the Espressif esp-idf repository. Relevant commits include 075ed218cadb8088155521cd8a795d8a626519fb, 2f788e59ee361eee230879ae2ec9cf5c893fe372, 798029129a71c802cff0e75eb59f902bca8f1946, 999710fccf95ae128fe51b5679d6b7c75c50d902, and d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace, which address the buffer length validation in the Bluetooth AVRCP handling.
Details
- CWE(s)