Cross-Site Request Forgery Vulnerability in Arduino Core for ESP32 Microcontrollers
CVE-2025-53540

8.7HIGH

Key Information:

Vendor: Espressif
Status: Arduino-esp32
Vendor: CVE Published:; 7 July 2025

What is CVE-2025-53540?

The Arduino core for ESP32, which supports various ESP32 microcontrollers, has a vulnerability in the Over-The-Air (OTA) update mechanism. Specifically, the HTTPUpdateServer implementation lacks CSRF protection for POST requests used to upload firmware. This oversight allows an attacker to exploit the vulnerability by uploading malicious firmware, potentially leading to remote code execution on affected devices. The issue has been resolved in version 3.2.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

arduino-esp32 < 3.2.1

References

https://github.com/espressif/arduino-esp32/security/advis...

x_refsource_CONFIRM

https://github.com/espressif/arduino-esp32/commit/f4fdecc...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jul 2, 2025

JSON

Espressif

What is CVE-2025-53540?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.