That ESP32 thing has a CVE: CVE-2025-27840: https://nvd.nist.gov/vuln/detail/CVE-2025-27840 .
And, pretty much everything all of the well-known infosec people have been saying is correct: physical access required (or, high privileges and high attack complexity; the score is kinda 'wrong' in some sense because it is combining two exploitation vectors but I think it gets across the point: this is not wormable and is not exploitable via wireless, at least not on its own. and if your threat model allows for physical access but still treats this as a big deal somehow, go home, your threat model is drunk).
K. Reid Wightman :verified: 🌻 /
npub106…4mqj7
2025-03-09 04:03:24
Author Public Key
npub106eat5hjz3zhehyeq6klt5vah8lssugjkjpzwsv5del6nhs0dh9sd4mqj7Published at
2025-03-09 04:03:24Event JSON
{
"id": "8fabaace68a1046bf3eda9da7e94aa5994fb1526f13e53b5ac6e249d5ebdca62",
"pubkey": "7eb3d5d2f214457cdc9906adf5d19db9ff087112b4822741946e7fa9de0f6dcb",
"created_at": 1741493004,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/reverseics/statuses/114130485558192909",
"activitypub"
]
],
"content": "That ESP32 thing has a CVE: CVE-2025-27840: https://nvd.nist.gov/vuln/detail/CVE-2025-27840 . \n\nAnd, pretty much everything all of the well-known infosec people have been saying is correct: physical access required (or, high privileges and high attack complexity; the score is kinda 'wrong' in some sense because it is combining two exploitation vectors but I think it gets across the point: this is not wormable and is not exploitable via wireless, at least not on its own. and if your threat model allows for physical access but still treats this as a big deal somehow, go home, your threat model is drunk).",
"sig": "3bd532f3f1ceed45b0a0422c943ccbaf6265fa35a1a95411b3fbf33dc5b62cb9f2c0ec42f06a2b129229e24f2e1bb88ee0ff64ff2382a2732976de855dbd6074"
}