Beats Studio Buds. A critical flaw-causing vulnerability was found in Apple’s wireless earbuds and the company has issued firmware patches to address this high-severity vulnerability.
The CVE-2025-20701 vulnerability received a CVSS score of 8.8 and it is also linked to Airoha’s Bluetooth audio SDK due to improper authorization. An unauthorized device is able to pair (make audio and/or use) with a user’s Beats Studio Buds (audio) via Bluetooth when that device is in Bluetooth range.
No user interaction is required. No additional privileges are needed. Just Bluetooth range.
The patch is included in Beats Firmware Update 1B211. If you own Beats Studio Buds, update them now.
How the Vulnerability Works
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
The Beats Studio Buds Bluetooth eavesdropping vulnerability stems from a flaw in how the Airoha chipset handles pairing requests. Generally, pairing requires confirmation before connecting two Bluetooth objects; this vulnerability allows this step to be skipped. An attacker with proximity to a target could easily create a Bond with an existing Bluetooth Headphone and connect their malicious device that way.
After connection:
1. Listen through the microphone
2. Read and write the device's RAM and flash
3. Hijack established trust relationships with paired devices like phones
The researchers who discovered the flaw described the attack surface as broad: "In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required."
The vulnerability can be triggered over Bluetooth BR/EDR or Bluetooth Low Energy (BLE). The only precondition is being in Bluetooth range.
Similar Vulnerabilities in Other Devices
The Beats Studio Buds Bluetooth eavesdropping vulnerability is not an isolated issue. Two other flaws in Airoha SoCs CVE-2025-20700 and CVE-2025-20702 were disclosed alongside it. Jabra released similar patches for its devices in December 2025.
The vulnerabilities appear to affect a broad range of devices using Airoha Bluetooth chips. The researchers who discovered the flaws presented their findings at the TROOPERS security conference in Germany in June 2025.
What Users Should Do
If you own Beats Studio Buds, update them to firmware version 1B211 immediately. Apple's advisory states: "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests."
That is the key detail: the vulnerability is active when the device is not yet paired and is seeking pair requests. The attack window is when the headphones are in pairing mode.
New iPhone BootROM Exploit: usbliter8
Separately, security researchers at Paradigm Shift have disclosed a new iPhone BootROM vulnerability affecting Apple's A12 and A13 chips. The exploit, codenamed usbliter8, is comparable to the famous checkm8 exploit, but on more recent devices.
checkm8 impacted all iOS devices from the iPhone 4s (A5 chip) through the iPhone 8 and iPhone X (A11 chip).
usbliter8 affects A12 and A13 chip devices, including:
1. iPhone XS and XS Max
2. iPhone XR
3. iPhone 11, 11 Pro, and 11 Pro Max
The A11 chip is not susceptible. A14 and later are also not susceptible.
How usbliter8 Works
The usbliter8 exploit is made up of two components:
1. Hardware flaw on the built-in USB controller of Apple SoC
2. Firmware configuration flaw of the device
The USB controller utilizes a memory buffer used to hold the data packets at the beginning of data being transferred from the host to the device. Researchers over the course of their study discovered that the controller would accept packets smaller than the buffer size which would enable the triggering of a buffer underflow primitive. In turn, this permits the injection and execution of malicious code under certain circumstances.
Although the problem actually resides in the USB controller itself rather than Apple's software.
The following will explain why the attack is successful on certain chips but not others:
1. A11: The USB driver manually resets the DMA address back to its starting value after receiving each packet, which prevents an attack.
2. A12 and A13: The USB DART was set up to provide free access to over-write SRAM data, or was configured to be in a bypass mode.
3. A14 and later: On the A14 chip and newer, the DART was set up properly through SecureROM preventing the possibility of any exploitation of this design vulnerability from taking place.
Why BootROM Vulnerabilities Matter
The SecureROM, or BootROM, is the first code that runs when an iPhone powers on. It is immutable, it cannot be patched or updated. A vulnerability at this level is permanent.
The usbliter8 exploit demonstrates that even on more recent SecureROM generations including those protected by Pointer Authentication subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust.
As the researchers noted: "The security of the BootROM is critical: vulnerabilities at this level can compromise the integrity of the entire device. Although usbliter8 doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave."
The Bottom Line
The Beats Studio Buds Bluetooth eavesdropping vulnerability is patched. If you own these headphones, update them immediately. The vulnerability allows nearby attackers to listen through your microphone without your consent.
The iPhone BootROM exploit is not patched. It cannot be patched. If you own an A12 or A13 device, the vulnerability is permanent. As the researchers noted, migrating to newer hardware remains the most effective mitigation.
Two vulnerabilities. Two different timelines. The same lesson: security is not a one-time event.
FAQ Section
What is CVE-2025-20701?
The vulnerability identified as CVE-2025-20701 allows an attacker to connect their own Bluetooth device to a set of Beats Studio Buds if they are in close proximity; this also enables the attacker to listen remotely through the microphone.
Which devices are vulnerable?
Beats Studio Buds and other audio devices currently on the market that utilize the wired wireless earbud technology that is provided by Apple.
How does it all happen?
The attacker simply has to be within range of the headphones in order to pair their malicious device without needing the user's approval. Once paired, the assailant can both listen and use certain other features through the use of the microphone on the headphones.
What is usbliter8?
The usbliter8 BootROM exploit affects Apple's A12/A13 processors and permits the execution of executable machine code directly at the lowest possible level of the device, similar to the checkm8 BootROM exploit, but on devices with more recent hardware architectures.
Which devices does usbliter8 Target?
Any device that has an A12 or A13 chip. This includes the iPhone XS / XR, 11, 11 Pro / Pro Max.
Can usbliter8 be fixed/ patched?
No. A BootROM vulnerability is in the Boot ROM (Read-Only Memory) / Firmware of a given device, cannot be updated. The best way to mitigate this problem is to purchase a newer generation iPhone with an A14 or greater chip.
Source: The Hacker News
