Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/reverseics/statuses/114130485558192909">K. Reid Wightman :verified: 🌻 (reverseics@infosec.exchange)'s status on Sunday, 09-Mar-2025 13:34:09 JST</a><a href="https://infosec.exchange/@reverseics" title="reverseics@infosec.exchange"><img src="https://gnusocial.jp/avatar/79443-48-20250301074430.webp" width="48" height="48" alt="K. Reid Wightman :verified: 🌻" style="position: absolute; left: 0; top: 0;">K. Reid Wightman :verified: 🌻</a></section><article><p>That ESP32 thing has a CVE: CVE-2025-27840: <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-27840" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2025-27840</a> . </p><p>And, pretty much everything all of the well-known infosec people have been saying is correct: physical access required (or, high privileges and high attack complexity; the score is kinda 'wrong' in some sense because it is combining two exploitation vectors but I think it gets across the point: this is not wormable and is not exploitable via wireless, at least not on its own. and if your threat model allows for physical access but still treats this as a big deal somehow, go home, your threat model is drunk).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4699984#notice-9203113">In conversation</a><time datetime="2025-03-09T13:34:09+09:00" title="Sunday, 09-Mar-2025 13:34:09 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@reverseics/114130485558192909" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@reverseics/114130485558192909">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://nvd.nist.gov/vuln/detail/CVE-2025-27840">NVD - CVE-2025-27840</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
K. Reid Wightman :verified: 🌻 (reverseics@infosec.exchange)'s status on Sunday, 09-Mar-2025 13:34:09 JST K. Reid Wightman :verified: 🌻
That ESP32 thing has a CVE: CVE-2025-27840: https://nvd.nist.gov/vuln/detail/CVE-2025-27840 .
And, pretty much everything all of the well-known infosec people have been saying is correct: physical access required (or, high privileges and high attack complexity; the score is kinda 'wrong' in some sense because it is combining two exploitation vectors but I think it gets across the point: this is not wormable and is not exploitable via wireless, at least not on its own. and if your threat model allows for physical access but still treats this as a big deal somehow, go home, your threat model is drunk).
In conversationabout a month ago from infosec.exchangepermalink
Attachments
1. No result found on File_thumbnail lookup.
  NVD - CVE-2025-27840

Public

Embed Notice

HTML Code

Corresponding Notice