CVE-2025-53540

Name of the Vulnerable Software and Affected Versions: arduino-esp32 versions prior to 3.2.1

Description: The issue affects several OTA update examples and the HTTPUpdateServer implementation in the arduino-esp32 core, allowing an attacker to upload and execute arbitrary firmware due to a lack of Cross-Site Request Forgery (CSRF) protection for firmware uploads via POST requests. This results in remote code execution (RCE).

Recommendations: For versions prior to 3.2.1, update to version 3.2.1 to resolve the issue. As a temporary workaround, consider disabling the OTA update feature until the patch is applied. Restrict access to the update endpoints to minimize the risk of exploitation. Avoid using the HTTPUpdateServer implementation until the issue is resolved.