Apple has rolled out an update for its Beats Studio Buds wireless earbuds to address a critical vulnerability that was susceptible to exploitation by nearby attackers. The flaw, identified as CVE-2025-20701, held a high severity score of 8.8 on the CVSS scale, highlighting its potential impact on users.
Understanding the Security Flaw
This particular vulnerability stemmed from an incorrect authorization issue within the Airoha Bluetooth audio SDK. It allowed unauthorized pairing of Bluetooth audio devices without user consent. The flaw could lead to remote privilege escalation without requiring additional permissions or user interaction. Apple resolved this issue through the release of Beats Firmware Update 1B211.
In an advisory, Apple explained that attackers within Bluetooth range could potentially use the microphone of a device that was not yet paired, especially if it was actively seeking pair requests. This vulnerability was initially reported in June 2025 by ERNW GmbH researchers at the TROOPERS security conference in Germany. Similar vulnerabilities were addressed by Jabra in December 2025.
Potential Risks and Implications
The researchers noted that these vulnerabilities could let attackers fully control the headphones via Bluetooth, without needing authentication or pairing. The attack could be initiated through Bluetooth BR/EDR or Bluetooth Low Energy (BLE), with the only requirement being proximity to the Bluetooth range. Attackers could read and write the device’s RAM and flash, hijacking established trust relationships with other devices like smartphones paired with the headphones.
These capabilities opened up several attack scenarios, emphasizing the need for robust security measures in Bluetooth-enabled devices. This incident underscores the importance of timely firmware updates to mitigate emerging threats.
New Exploit in Apple’s A12 and A13 Chips
Concurrently, a new exploit named usbliter8 has been unveiled by Paradigm Shift, targeting Apple’s A12 and A13 chips. This exploit affects the SecureROM and is facilitated by a hardware bug in the USB controller, coupled with a specific firmware configuration flaw. As the vulnerability exists in immutable code, affected users are encouraged to upgrade to newer hardware models for effective mitigation.
Paradigm Shift’s revelation highlighted that the flaw allows for malicious code injection by exploiting a buffer underflow in the USB controller. This issue appears to be hardware-rooted, as the A11 chip is unaffected, whereas A12 and A13 are vulnerable. The usbliter8 exploit mirrors the functionality of the well-known checkm8 exploit impacting earlier iOS devices.
Overall, these discoveries point to the critical nature of SecureROM security, as vulnerabilities at this level can compromise entire device integrity. While usbliter8 doesn’t directly affect SEP, it widens attack vectors against the Secure Enclave, emphasizing ongoing vigilance in device security.
