The severity is rated HIGH due to the potential for unauthorized code execution if an attacker can supply a malicious firmware image. The real-world exploitability depends on access control over flashing operations; with physical or network access, exploitation is feasible.
The espflash Go CLI and library, used for flashing firmware to Espressif ESP8266 and ESP32-family microcontrollers, has a potential security vulnerability related to the handling of firmware images. The attack vector involves improperly validated input during firmware flashing operations, which could lead to unauthorized code execution or denial-of-service conditions on affected devices.
Affected Systems
- ESP8266
- ESP32
- ESP32-S2
- ESP32-S3
- ESP32-C2 (ESP8684)
- ESP32-C3
- ESP32-C6
- ESP32-H2
Affected Versions: All versions prior to the latest update
Remediation
- Update espflash to the latest version using: go install tinygo.org/x/espflash@latest
- Verify that all firmware images are from trusted sources before flashing.
- Apply strict access controls over devices during firmware updates.
Stack Impact
This affects embedded systems and potentially any service or application relying on ESP8266 or ESP32-family microcontrollers for networked operations.