CTF · ESP32 · Embedded security

We take embedded
systems apart.

We put hardware on CTFs.

IoT, OT and ESP32 challenges, an open-source ESP32 platform and a learning platform built around real devices. A French non-profit that builds, breaks and publishes what it finds.

See the CTF The framework
12 Published CVEs
9.3 Top CVSS (critical)
28 CTF challenges
1,479 CTF players
New platform Beta · Free

Espilon Learn

Hardware security training on real IoT, OT and embedded devices. Courses, challenges, labs and device emulation.

Hardware Hacking UART · SPI · I2C · JTAG Firmware & RE ESP32 Security IoT Attack Surface OT / ICS
Start learning → Free · No account required to browse
24 Courses Structured paths with theory, labs and quizzes
28 Challenges Standalone flags, practice at your own pace
7 Labs Spawnable multi-service environments
CVE Device Emulation Real device emulation to reproduce CVEs hands-on
Latest findings

What we find

A few of our published findings. The full list lives on the advisories page.

Critical · 9.3 Espressif

CVE-2026-45328

Out-of-bounds write in the ESP-TEE secure service wrappers: a write primitive inside the part of the chip that's supposed to be trusted.

ESP-TEEesp-idf
Advisory →
5 × High/Med AWS · FreeRTOS

FreeRTOS-Plus-TCP & coreMQTT

Five CVEs in the network stack that ships on millions of devices: an RA out-of-bounds write, a DHCPv6 integer underflow, an MQTT v5 DoS and more.

TCP/IPMQTT
Open →
Medium Arduino

CVE-2026-47773

Memory corruption in ArduinoBLE via a malformed ATT write request. Send the wrong bytes over Bluetooth, corrupt the parser's memory.

BLEATT
Advisory →
The platform

The framework

One ESP32 firmware. Every capability is a signed module you push at runtime.

The device ships with a loader, a crypto core and a transport. Everything else arrives as a signed module, a sensor driver, a mesh node, a recon tool, loaded into IRAM at runtime, encrypted in, wiped on unload. Same engine, any job.

C3PO
Python operator server · Qt app
ChaCha20-Poly1305 · protobuf
Firmware
ESP32 · loader + crypto + transport only
signed modules → IRAM
Modules
Loaded at runtime · zeroed on unload
New tool

SimSift

Portable SIM card forensic tool on ESP32. Compatible with LilyGo T-Call and T-SIM7070G.

ESP32 SIM Forensics C
GitHub →
SimSift
New tool

Espilon Monitor

Universal serial monitor for embedded devices. Watch multiple ports, detect crashes and events by regex pattern, fire Python hooks, stream structured JSON to your pipeline.

C Serial ESP32 CI-ready
sudo apt install emon brew install EspilonOrg/tap/emon yay -S emon
Espilon Monitor demo
Open source

Everything we ship

Framework, CTF, docs, blog and tools. All open, all linked below.

Espilon Learn Hardware security training: courses, challenges, labs and real device emulation. Hardware, IoT, OT, ESP32.
HardwareIoTOT
Beta
Espilon-Firmware ESP32 loader, ChaCha20-Poly1305 crypto core, WiFi and GPRS transports. Anti-forensic IRAM wipe.
CESP-IDFFreeRTOS
Incoming · Release
C3PO Operator server: Qt6 desktop app, TCP C2, per-device keystore, module compiler and injector.
PythonQt6C2
Incoming · Release
ESPM Dynamic ELF loader for ESP32. HMAC-SHA256 signature check, 110-function syscall table, per-module watchdog.
CESP-IDFELF
Incoming · Release
Espilon Monitor Universal serial monitor for embedded devices. Multi-port, pattern detection, automatic reactions.
CSerialEmbedded
New
SimSift Portable forensic tool for SIM cards and cellular data. Autonomous, ESP32-based, no laptop required.
ESP32SIMForensicsC
New
Espilon CTF 28 hardware, IoT and OT challenges across 6 categories. 1,479 players, 1,470 solves. Write-ups published.
HardwareIoTOT
Live
Documentation Build guides, hardware wiring, the full module API and field use cases for the framework.
GuidesAPIMkDocs
Live
Blog Vulnerability write-ups, CTF solutions and the occasional rant about embedded security done wrong.
Write-upsResearchHugo
Live
Eye_On_xG Interactive map of cellular antenna coverage across France, 2G to 5G, built on official ANFR open data.
2G4G5GANFR
Live
Advisories 12 published CVEs in Espressif, AWS/FreeRTOS and Arduino code. GHSA links for each one.
CVEGHSADisclosure
Live
Community

Come hang out

Write-ups, challenge support, hardware finds and IoT/OT talk. New challenges drop regularly.

Join Discord View the CTF