AISLE Finds 4 CVEs in One of the World’s Most Popular IoT Platforms

Given the prevalence of IoT (Internet of Things) devices in industries like healthcare and energy, their operational resilience is often critical to human health and safety. So after partnering with OpenSSL and curl to secure the foundations of modern software, the AISLE Research Team set out to uncover vulnerabilities in the embedded devices we all rely upon.

ESP-IDF was a natural starting point. As the development framework for the ESP32 family of chips, one of the world’s most widely deployed embedded platforms, it touches smart home devices, industrial sensors, medical peripherals, and connected infrastructure across virtually every industry.

When we used AISLE’s analyzer agents to inspect ESP-IDF code, they found four vulnerabilities affecting JPEG parsing, Classic Bluetooth, AVRCP, SDP discovery, and WPS enrollee handling. Three of the four were high severity issues. AISLE responsibly disclosed these findings to ESP-IDF developers Espressif, and they have since been fixed.

What AISLE’s Analyzer Agents Found

Embedded frameworks are difficult to secure because their attack surface is spread across many small pieces of protocol and parser logic. A malformed image, a Bluetooth service response, a vendor metadata field, or a truncated WPS packet can reach code that was written to assume well-formed input and tight memory constraints. These four CVEs are a case in point:

Here’s how each of these vulnerabilities works:

CVE-2025-65092

The JPEG issue sits in header parsing. The parser trusts length information from an image and advances through the buffer without enough validation. A malformed JPEG can push the parser outside the valid input.

CVE-2025-68474

The AVRCP issue comes from checking against the wrong amount of overhead. The code validates the vendor payload against a constant that does not match what was actually written before the payload. When the length approaches the end of the buffer, the copy can run past it.

CVE-2025-68473

The SDP issue is a fixed-buffer accumulation bug. The Bluetooth stack collects discovered service UUIDs into a 32-entry stack array, but does not stop writing once the count exceeds that limit. A nearby Bluetooth device could return enough UUIDs to drive the code past the end of the array.

CVE-2026-25532

The WPS issue is a signed-to-unsigned bug. A malformed EAP-WSC message can make frag_len negative. That value later reaches buffer routines that take size_t, turning a negative length into a very large copy.

To sum up, these CVEs are emblematic of bugs that often appear in mature embedded code. Each makes a small assumption about packet shape, field length, buffer layout, or parser state that don’t hold up under the pressure of untrusted input.

Securing the Internet of Things Using AI

These four vulnerabilities in ESP-IDF highlight the importance of securing modern embedded attack surfaces. Embedded systems combine radio protocols, media parsers, hardware drivers, vendor SDKs, and long-lived compatibility code. And while reachable paths are often narrow, the consequences are concrete.

As attackers gain access to frontier-class detection capabilities, the risks to embedded devices will be felt wherever they are deployed. The AI arms race is here to stay. The question is, will defenders be empowered to hold their own?

AISLE was built to accelerate vulnerability pipelines by automating issue detection, triage, and remediation. See how it can help you defend your embedded platform.

Our thanks goes to Espressif for their collaboration throughout the disclosure and remediation process. These findings were verified and reported by Pavel Kohout using the AISLE platform.