cbcvebase.
CVE-2025-57808
published 2025-09-02

CVE-2025-57808: ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server…

PriorityP354high8.1CVSS 3.1
AVAACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.51%
71.3th percentile
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
esphomeesphome
esphomeesphome>= 0 < 2025.8.12025.8.1
esphomeesphome_firmware

Detection & IOCsextracted from sources · hover to see the quote

othershodan-query: http.title:"ESPHome"
  • Send a GET request with an empty or truncated base64-encoded Authorization header value (e.g., 'Authorization: Basic' with no trailing credential data). A 200 response containing 'Dashboard - ESPHome' in the body indicates successful authentication bypass.
  • The vulnerability is triggered when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value, causing the authentication check to pass incorrectly.
  • Affected version is ESPHome 2025.8.0 on the ESP-IDF platform. Identify exposed instances via Shodan using the query http.title:"ESPHome".
  • Successful exploitation grants access to web_server functionality including OTA updates without any knowledge of valid credentials.
  • ·The bypass only affects ESPHome version 2025.8.0 on the ESP-IDF platform specifically; other platforms or versions are not confirmed vulnerable.
  • ·OTA exploitation is conditional — the web_server component must have OTA enabled for that attack surface to be reachable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.