High

Missing Authentication in Airoha Bluetooth BR/EDR allowing unauthorized audio connection

IdentifiersCVE-2025-20701CWE-306

CVE-2025-20701 is a missing-authentication vulnerability in the Bluetooth Classic (BR/EDR) functionality of Airoha Bluetooth audio SDK / Airoha-based SoCs used in devices including Beats Studio Buds. The flaw allows a nearby attacker to establish an unauthorized Bluetooth Classic connection to a target audio device without user consent or prior pairing. Reported technical details indicate the weakness affects BR/EDR connection handling and can permit unauthorized two-way audio connections, including use of the Hands-Free Profile (HFP). Apple states that, for affected Beats Studio Buds, an attacker within Bluetooth range may be able to listen through the microphone of a device that is not yet paired and is actively seeking pairing requests. The issue has been described by researchers as missing authentication for Bluetooth BR/EDR and as part of the broader 'Headphone Jacking' Airoha vulnerability set.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker in Bluetooth proximity to connect to the vulnerable headset/earbuds without authorization and access live audio paths. In the documented Beats Studio Buds case, this may enable eavesdropping through the device microphone before legitimate pairing. More generally, unauthorized HFP-capable connections can provide covert audio interception and privacy compromise. When combined with related Airoha flaws such as CVE-2025-20700 and CVE-2025-20702, the impact can expand to broader device takeover, memory access, Bluetooth link-key theft, impersonation of trusted peripherals, and abuse of the paired phone relationship.

Mitigation

If you can’t patch tonight, do this now.

Until patched firmware is installed, reduce exposure by keeping vulnerable audio devices out of discoverable/pairing-seeking states when not needed, minimizing use in untrusted public environments, and limiting physical proximity opportunities for attackers. Users should ensure headphone firmware is updated and remove or retire devices that no longer receive security updates. Because exploitation requires Bluetooth-range proximity, operational controls that restrict nearby attacker access can reduce risk, but they do not eliminate it.

Remediation

Patch, then assume compromise.

Apply vendor firmware updates that incorporate Airoha's fixes for the BR/EDR authentication weakness. For Beats Studio Buds, Apple indicates the issue is addressed in Beats Firmware Update 1B211, which is automatically delivered when the headphones are paired and within Bluetooth range of an iPhone, iPad, or Mac. More broadly, manufacturers using affected Airoha SDK/SoCs should integrate the updated Airoha SDK and ship patched firmware to end users.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

scworldNews

Jun 18, 2026

Apple releases security update for Beats Studio Buds vulnerability | brief | SC Media

A missing authentication vulnerability in the Bluetooth BR/EDR radio of Airoha SoCs used in Beats Studio Buds that could allow a nearby attacker to eavesdrop via the microphone of an unpaired device seeking pairing requests.

bleeping computerNews

Jun 18, 2026

Apple fixes Beats Studio Buds flaw that let hackers spy on conversations

A high-severity missing authentication vulnerability in the Bluetooth BR/EDR radio of Airoha SoCs affecting Beats Studio Buds, allowing an attacker within Bluetooth range to eavesdrop through the microphone of an unpaired device actively seeking pair requests.

apple supportNews

Jun 16, 2026

About the security content of Beats Firmware Update 1B211 - Apple Support

A vulnerability affecting Beats Studio Buds that could allow an attacker within Bluetooth range to listen through the microphone of a device that is not yet paired and is actively seeking pair requests.

checkpoint research blogNews

Jan 5, 2026

5th January - Threat Intelligence Report - Check Point Research

A vulnerability in Airoha Bluetooth SoCs (CVSS 8.8) enabling unauthenticated access to the RACE protocol and enabling attack primitives (e.g., arbitrary memory operations) used for nearby device takeover and key extraction/impersonation.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-20701

NVD

nvd.nist.gov/vuln/detail/CVE-2025-20701

MITRE CWE · CWE-306

cwe.mitre.org

airoha.com

airoha.com/product-security-bulletin/2025