CVE-2023-35818 in ESP32
Summary
by MITRE • 07/17/2023
An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the attacker can exploit another behavior in the chip to gain unauthorized access to the ROM download mode. Access to ROM download mode may be further exploited to read the encrypted flash content in cleartext format or execute stub code.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2023-35818 represents a critical flaw in Espressif ESP32 3.0 devices that fundamentally undermines the security architecture of these IoT chips. This issue resides in the ESP32_rev300 ROM and specifically affects the ECO3 implementation, creating a pathway for sophisticated attackers to bypass fundamental security measures that are typically considered robust. The vulnerability exploits electromagnetic fault injection (EMFI) techniques that allow adversaries to manipulate the processor's program counter at the CPU context level, effectively enabling them to redirect execution flow regardless of the device's security configurations.
The technical exploitation of this vulnerability begins with the EMFI attack on the ECO3 component, which provides attackers with the ability to influence the program counter value within the CPU context. This manipulation occurs at a fundamental level that transcends traditional security boundaries, as it operates independently of Secure Boot and Flash Encryption protections that are typically expected to prevent unauthorized access to device internals. The capability to control the program counter in this manner creates a critical attack vector that bypasses the normal execution flow protections that are standard in secure embedded systems.
The operational impact of this vulnerability is particularly severe because it enables attackers to gain access to the ROM download mode, which represents a privileged execution state within the device. Once inside this mode, adversaries can exploit additional behaviors within the chip's architecture to extract encrypted flash content in cleartext format or execute arbitrary stub code. This dual capability provides attackers with both data exfiltration and code execution privileges, making it a comprehensive security breach that can compromise the entire device functionality. The vulnerability essentially provides a backdoor that allows attackers to circumvent multiple layers of security that are typically considered sufficient to protect embedded systems.
From a cybersecurity perspective, this vulnerability aligns with CWE-377 and CWE-378, which address insecure handling of sensitive data and improper handling of fault injection attacks. The attack pattern follows ATT&CK techniques related to privilege escalation and execution through fault injection, specifically targeting the system firmware layer where traditional security controls fail. The fact that this vulnerability operates at the ROM level means that it fundamentally challenges the security model of the device, as it allows attackers to compromise the very foundation upon which all other security measures are built. Organizations relying on ESP32 devices for IoT applications face significant risk from this vulnerability, as it can be exploited without requiring physical access to the device or sophisticated hardware tools beyond those capable of EMFI attacks. The implications extend beyond simple data theft to include potential system compromise and the ability to modify device behavior through the execution of malicious stub code in the ROM download mode.