The vulnerability identified as CVE-2025-64342 resides in the Espressif Internet of Things Development Framework (esp-idf), specifically impacting the ESP32 microcontroller's Bluetooth advertising mode. The flaw arises when the ESP32 receives a Bluetooth connection request containing an invalid Access Address (AA) set to either 0x00000000 or 0xFFFFFFFF. Under normal operation, the Access Address is a unique 32-bit value used to identify a Bluetooth connection. However, the esp-idf fails to properly check for these unusual or exceptional AA values, which are invalid in the Bluetooth specification. When such a malformed request is received, the ESP32's advertising process may halt unexpectedly. Moreover, the controller erroneously signals a connection event to the host system, misleading the application layer into believing a connection has been successfully established. This improper check for exceptional conditions corresponds to CWE-754. The consequence is a disruption in Bluetooth advertising, which can degrade device availability and potentially cause application logic errors due to false connection states. The vulnerability affects multiple esp-idf versions starting from beta releases up to versions before the fixed releases 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. The issue does not require any privileges, authentication, or user interaction to exploit, and no known exploits have been reported in the wild as of publication. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, low attack complexity, and no privileges or user interaction required. The root cause is an improper validation of Bluetooth connection requests, leading to unexpected device behavior and potential denial of service conditions.

For European organizations deploying ESP32-based IoT devices, this vulnerability can lead to unexpected disruptions in Bluetooth advertising functionality, which is critical for device discoverability and connectivity. The false reporting of connection events may cause applications to mismanage connection states, potentially leading to logic errors, degraded device performance, or denial of service scenarios. In industrial, healthcare, smart city, or consumer IoT deployments, such disruptions could impair operational continuity, data collection, or user experience. While no direct data confidentiality or integrity compromise is indicated, the availability impact and application misbehavior could indirectly affect system reliability and trustworthiness. Organizations relying on Bluetooth connectivity for critical functions should consider this a moderate risk, especially where ESP32 devices are widely used. The lack of known exploits reduces immediate threat but does not eliminate risk, as attackers could craft malformed Bluetooth packets to trigger the issue. Given the widespread adoption of ESP32 in European IoT ecosystems, the impact could be significant if unpatched devices are targeted.

European organizations should promptly identify all ESP32 devices running vulnerable esp-idf versions and apply the patches provided in esp-idf releases 5.5.2, 5.4.3, 5.3.5, 5.2.6, or 5.1.7 as appropriate. Where immediate patching is not feasible, network-level controls can be implemented to monitor and filter Bluetooth traffic for malformed connection requests with invalid Access Addresses (0x00000000 or 0xFFFFFFFF). Device firmware should be updated to include robust validation of Bluetooth connection parameters to prevent advertising disruptions. Additionally, application logic should be hardened to verify connection states independently rather than relying solely on controller-reported events. Organizations should also conduct thorough testing of Bluetooth functionality post-update to ensure stability. Incorporating anomaly detection for unusual Bluetooth traffic patterns can provide early warning of exploitation attempts. Finally, maintain awareness of vendor advisories and monitor for any emerging exploits targeting this vulnerability.