References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AND
     OR
          *cpe:2.3:o:netun:helpflash_iot_firmware:18_178_221102_ascii_pro_1r5_50:*:*:*:*:*:*:*
     OR
          cpe:2.3:h:netun:helpflash_iot:-:*:*:*:*:*:*:*

MITRE: https://docs.espressif.com/projects/esp-idf/en/v4.3.2/ Types: Product

MITRE: https://luismirandaacebedo.github.io/CVE-2025-65855/ Types: Third Party Advisory

AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-319

CWE-494

CWE-798

The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device.

https://docs.espressif.com/projects/esp-idf/en/v4.3.2/

https://luismirandaacebedo.github.io/CVE-2025-65855/