Safety researchers have disclosed important vulnerabilities affecting broadly used Bluetooth headphones and earbuds that might enable attackers to snoop on conversations, steal delicate information, and even hijack related smartphones.
The failings, recognized as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, influence units powered by Airoha Bluetooth System-on-Chips (SoCs), that are utilized by main producers together with Sony, Bose, JBL, Marshall, and Jabra.
CVE IDVulnerability NameCVSS ScoreCVE-2025-20700Missing Authentication (BLE)8.8CVE-2025-20701Missing Authentication (Basic)8.8CVE-2025-20702RACE Protocol RCE / Arbitrary Read9.6
The vulnerabilities had been initially disclosed in June 2025, giving distributors time to develop patches.
Nevertheless, six months later, many units stay unpatched, prompting researchers to launch full technical particulars alongside a white paper and the RACE Toolkit, a device enabling customers and safety professionals to confirm if their units are weak.
Airoha is a serious provider of Bluetooth SoCs, notably for True Wi-fi Stereo (TWS) earbuds. The corporate offers reference designs and SDK implementations that producers combine into their merchandise.
ERNW researchers found that Airoha-based units expose a customized protocol referred to as RACE (Distant Entry Management Engine) over a number of interfaces, together with Bluetooth Low Vitality, Bluetooth Basic, and USB HID connections.
RACE protocol
The RACE protocol was initially meant for manufacturing unit debugging and firmware updates, providing highly effective capabilities corresponding to studying and writing arbitrary areas in each flash reminiscence and RAM.
The primary vulnerability, CVE-2025-20700, includes lacking authentication for GATT providers over Bluetooth Low Vitality. Attackers can uncover and hook up with weak headphones inside Bluetooth vary with out pairing, gaining silent entry to the RACE protocol. This connection sometimes happens with out person notification, making the assault fully covert.
CVE-2025-20701 addresses lacking authentication for Bluetooth Basic connections. Whereas these connections are generally extra seen and should interrupt audio streams, unauthenticated entry permits attackers to ascertain two-way audio connections, probably enabling eavesdropping by means of the machine’s microphone utilizing the Fingers-Free Profile (HfP).
The third flaw, CVE-2025-20702, issues the important capabilities uncovered by means of the RACE protocol itself.
Particular instructions enable attackers to retrieve machine data, learn flash reminiscence pages, carry out arbitrary learn/write operations on RAM, and procure the machine’s Bluetooth Basic handle. These capabilities allow attackers to change units and extract delicate configuration information completely.
From Headphones to Smartphones
Probably the most extreme influence happens when attackers chain these vulnerabilities to compromise related smartphones. The assault sequence begins with an attacker connecting to close by headphones through BLE or Bluetooth Basic, then utilizing the RACE protocol to dump the machine’s flash reminiscence.
This reminiscence accommodates a connection desk with paired machine data, together with the cryptographic Hyperlink Key used for mutual authentication between the headphones and telephone.
Armed with this Hyperlink Key, attackers can impersonate the trusted headphones and hook up with the sufferer’s smartphone from a privileged place.
This permits a number of assault vectors, together with extracting the sufferer’s telephone quantity and contacts, triggering voice assistants like Siri or Google Assistant to ship messages or make calls, hijacking incoming calls, and establishing eavesdropping connections utilizing the telephone’s inside microphone, based on ERNW analysis.
Researchers demonstrated proof-of-concept assaults that efficiently compromised WhatsApp and Amazon accounts, highlighting the real-world severity of those vulnerabilities.
The researchers confirmed vulnerabilities throughout quite a few common units, although the whole checklist of affected merchandise stays unclear.
Verified weak units embrace a number of Sony WH and WF collection headphones (together with the flagship WH-1000XM5 and WF-1000XM5), Bose QuietComfort Earbuds, JBL Reside Buds 3, Marshall MAJOR V and MINOR IV, and numerous different fashions from Beyerdynamic, Jabra, and Teufel.
Some producers have launched firmware updates addressing these points. Jabra stands out for transparency, publicly itemizing affected units of their safety heart and mentioning CVE numbers in firmware launch notes. Marshall and Beyerdynamic have additionally issued updates, although data availability varies considerably throughout distributors.
Customers ought to instantly replace their Bluetooth headphones by means of producer apps or web sites. Excessive-value targets corresponding to journalists, diplomats, and politicians ought to take into account switching to wired headphones to get rid of Bluetooth-based assault vectors.
Customers also needs to evaluate and take away unused paired units from their telephones to reduce the variety of probably compromised Hyperlink Keys.
Producers should apply Airoha’s SDK patches instantly and conduct thorough safety assessments earlier than releasing merchandise. Following established Bluetooth safety testing methodologies might forestall comparable vulnerabilities in future units.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
