Cyber Resilience

CVE-2025-66409

Low

Published: 02 December 2025

Published
02 December 2025
Modified
13 February 2026
KEV Added
Patch
CVSS Score v4 2.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 20.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66409 is a low-severity Out-of-bounds Read (CWE-125) vulnerability in Espressif Esp-Idf. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over Bluetooth (T1011.001); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-66409 is an out-of-bounds read vulnerability (CWE-125) in the Espressif IoT Development Framework (ESF-IDF), affecting versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier. The issue resides in the Bluetooth stack on ESP32 devices when AVRCP is enabled. It occurs when the stack processes a malformed VENDOR DEPENDENT command from a peer device, accessing memory before validating the command buffer length. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to high impacts on confidentiality and availability.

An attacker within Bluetooth range can exploit this vulnerability remotely without privileges or user interaction by sending a specially crafted VENDOR DEPENDENT command to a vulnerable ESP32 device with AVRCP enabled. Successful exploitation triggers an out-of-bounds read, potentially leaking sensitive memory contents or inducing unexpected behavior such as crashes or denial of service.

Mitigation requires updating to a patched version of ESF-IDF, as evidenced by fixes in the Espressif esp-idf repository. Relevant commits include 075ed218cadb8088155521cd8a795d8a626519fb, 2f788e59ee361eee230879ae2ec9cf5c893fe372, 798029129a71c802cff0e75eb59f902bca8f1946, 999710fccf95ae128fe51b5679d6b7c75c50d902, and d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace, which address the buffer length validation in the Bluetooth AVRCP handling.

EU & UK References

Vulnerability details

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to…

more

access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1011.001 Exfiltration Over Bluetooth Exfiltration
Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read enables memory leak (exfiltration over Bluetooth) and crash (endpoint DoS via application exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25532Same product: Espressif Esp-Idf
CVE-2024-53406Same product: Espressif Esp-Idf
CVE-2026-23388Shared CWE-125
CVE-2025-24265Shared CWE-125
CVE-2025-21717Shared CWE-125
CVE-2026-6918Shared CWE-125
CVE-2026-25942Shared CWE-125
CVE-2024-46670Shared CWE-125
CVE-2026-48132Shared CWE-125
CVE-2026-22023Shared CWE-125

Affected Assets

espressif
esp-idf
≤ 5.1.6 · 5.2 — 5.2.6 · 5.3 — 5.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs such as the AVRCP VENDOR DEPENDENT command buffer length before memory access, directly preventing the out-of-bounds read vulnerability.

prevent

Implements memory protection mechanisms that restrict out-of-bounds reads in the Bluetooth stack, comprehensively mitigating exposure of unintended memory contents or crashes.

prevent

Mandates identification, reporting, and correction of flaws like this buffer validation issue via patching to the fixed ESF-IDF versions.

References