Cross-Site Request Forgery Vulnerability in Arduino Core for ESP32 Microcontrollers
CVE-2025-53540

8.7HIGH

Key Information:

Vendor: Espressif
Status: Arduino-esp32
Vendor: CVE Published:; 7 July 2025

What is CVE-2025-53540?

The Arduino core for ESP32, which supports various ESP32 microcontrollers, has a vulnerability in the Over-The-Air (OTA) update mechanism. Specifically, the HTTPUpdateServer implementation lacks CSRF protection for POST requests used to upload firmware. This oversight allows an attacker to exploit the vulnerability by uploading malicious firmware, potentially leading to remote code execution on affected devices. The issue has been resolved in version 3.2.1.

Affected Version(s)

arduino-esp32 < 3.2.1

References

https://github.com/espressif/arduino-esp32/security/advis...

x_refsource_CONFIRM

https://github.com/espressif/arduino-esp32/commit/f4fdecc...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jul 2, 2025

Espressif

What is CVE-2025-53540?

Affected Version(s)

References

CVSS V4

Timeline