High

Missing Authentication in Airoha Bluetooth BR/EDR allowing unauthorized audio connection

IdentifiersCVE-2025-20701CWE-306

CVE-2025-20701 is a missing-authentication vulnerability in the Bluetooth Classic (BR/EDR) functionality of Airoha Bluetooth audio SDK / Airoha-based SoCs used in devices including Beats Studio Buds. The flaw allows a nearby attacker to establish an unauthorized Bluetooth Classic connection to a target audio device without user consent and without prior pairing. Available reporting indicates the issue affects devices that are not yet paired and are actively seeking pairing requests. Researchers and vendor statements describe the weakness as missing authentication in the BR/EDR path, enabling unauthorized two-way audio connections, including use of the Hands-Free Profile (HfP), which can expose microphone audio from the target device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful attacker within Bluetooth range can connect to the vulnerable headset/earbuds without authorization and eavesdrop via the device microphone. The primary impact described in the source material is remote privilege escalation in the Bluetooth trust boundary and unauthorized audio access, specifically the ability to establish two-way audio/HfP connections and listen to conversations. In broader attack chains with related Airoha vulnerabilities, this issue can contribute to takeover of the audio device and downstream abuse of the paired phone relationship, but those additional effects are not solely attributable to CVE-2025-20701.

Mitigation

If you can’t patch tonight, do this now.

Until patched firmware is installed, reduce exposure by limiting the device's discoverable/pairing state, avoiding leaving unpaired devices actively seeking pairing requests in untrusted environments, and minimizing use in proximity to potential attackers. Keep headphone firmware current and verify installed firmware version where supported. Because exploitation requires physical proximity within Bluetooth range, operational mitigations should focus on controlling nearby access and avoiding use of vulnerable devices in sensitive settings until updated.

Remediation

Patch, then assume compromise.

Apply vendor firmware updates that incorporate Airoha's fixes for the BR/EDR authentication weakness. For Beats Studio Buds, Apple states the issue is addressed in Beats Firmware Update 1B211, which is automatically delivered when the headphones are paired and within Bluetooth range of an iPhone, iPad, or Mac. More generally, manufacturers using affected Airoha SDK/SoCs should integrate the updated Airoha SDK and ship device-specific firmware updates.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

scworldNews

Jun 18, 2026

Apple releases security update for Beats Studio Buds vulnerability | brief | SC Media

A missing authentication vulnerability in the Bluetooth BR/EDR radio of Airoha SoCs used in Beats Studio Buds that could allow a nearby attacker to eavesdrop via the microphone of an unpaired device seeking pairing requests.

bleeping computerNews

Jun 18, 2026

Apple fixes Beats Studio Buds flaw that let hackers spy on conversations

A high-severity missing authentication vulnerability in the Bluetooth BR/EDR radio of Airoha SoCs affecting Beats Studio Buds, allowing an attacker within Bluetooth range to eavesdrop through the microphone of an unpaired device actively seeking pair requests.

apple supportNews

Jun 16, 2026

About the security content of Beats Firmware Update 1B211 - Apple Support

A vulnerability affecting Beats Studio Buds that could allow an attacker within Bluetooth range to listen through the microphone of a device that is not yet paired and is actively seeking pair requests.

checkpoint research blogNews

Jan 5, 2026

5th January - Threat Intelligence Report - Check Point Research

A vulnerability in Airoha Bluetooth SoCs (CVSS 8.8) enabling unauthenticated access to the RACE protocol and enabling attack primitives (e.g., arbitrary memory operations) used for nearby device takeover and key extraction/impersonation.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-20701

NVD

nvd.nist.gov/vuln/detail/CVE-2025-20701

MITRE CWE · CWE-306

cwe.mitre.org

airoha.com

airoha.com/product-security-bulletin/2025