Insecure Permissions in Espressif IDF Affects Device Authentication
CVE-2024-53406

8.8HIGH

Key Information:

Vendor: Espressif
Status: Espressif IDF
Vendor: CVE Published:; 13 March 2025

What is CVE-2024-53406?

Espressif IDF v5.3.0 is exposed to an Insecure Permissions vulnerability that can lead to authentication bypass. During the reconnection process, the device incorrectly reuses the session key from earlier connection sessions. This flaw creates an avenue for malicious actors to exploit security weaknesses, enabling unauthorized access to sensitive functions. Mitigation efforts should focus on ensuring proper session key management to enhance device security.

References

https://github.com/espressif/esp-idf

https://github.com/yangting111/BLE_TEST/blob/main/result/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2025
Vulnerability Reserved
Nov 20, 2024