CVE-2025-57808

moderate-risk
Published 2025-09-02

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Do I need to act?

~
6.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (1)

Esphome Firmware

Affected Vendors

Esphome

References (3)

Patch https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccb...
Exploit https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635
Exploit https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635
39
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 9/34 · Low
Exposure 5/34 · Minimal