Safety researchers have uncovered important vulnerabilities within the firmware of Xiaomi’s standard Redmi Buds sequence, particularly affecting fashions starting from the Redmi Buds 3 Professional as much as the most recent Redmi Buds 6 Professional.
The invention highlights essential flaws within the Bluetooth implementation of those gadgets, permitting attackers to entry delicate info or drive the gadgets offline. These exploits leverage the RFCOMM protocol and might be executed by an attacker inside radio vary with out ever pairing with the goal system.
Redmi Buds Vulnerability
The core of the problem lies in how the Redmi Buds firmware manages the RFCOMM management and signaling mechanisms. Whereas the product specs promote commonplace assist for profiles like HFP and A2DP, the gadgets actively monitor undocumented inner channels possible used for auxiliary companies.
The primary vulnerability, tracked as CVE-2025-13834, is an info leak attributable to improper bounds checking. This flaw capabilities equally to the notorious Heartbleed bug present in net servers years in the past.
When the system receives a particularly crafted TEST command with a manipulated size discipline on its management channel, the firmware fails to validate the request correctly.
As an alternative of rejecting the malformed packet, the system reads from uninitialized reminiscence and returns as much as 127 bytes of knowledge to the attacker. This out-of-bounds learn can expose extremely delicate info residing within the reminiscence pool, together with the cellphone numbers of energetic name friends.
The second vulnerability, CVE-2025-13328, is a Denial of Service (DoS) flaw ensuing from the firmware’s incapacity to deal with high-volume site visitors.
Attackers can flood the usual management channel or undocumented service channels with professional TEST instructions or Modem Standing Command signaling frames.
This flood overwhelms the system’s processing queue, resulting in useful resource exhaustion. The result’s a firmware crash that forcibly disconnects the consumer from their paired system.
CVE IDVulnerability TypeImpactSeverityCVE-2025-13834Information LeakAllows attackers to learn uninitialized reminiscence, probably exposing cellphone numbers and metadata.CriticalCVE-2025-13328Denial of ServiceEnables attackers to crash firmware and drive system disconnection through packet flooding.Excessive
Exploitation and Operational Influence
Essentially the most alarming side of those vulnerabilities is the low barrier to entry for potential attackers. Exploitation doesn’t require authentication, PIN pairing, or any consumer interplay.
An attacker solely requires the MAC handle of the goal earbuds, which might be simply obtained utilizing commonplace Bluetooth sniffing instruments.
Assessments performed by researchers demonstrated that these assaults might be efficiently executed from roughly twenty meters away utilizing commonplace dongles, although obstacles like partitions might scale back this vary.
The operational affect on the consumer varies from privateness invasion to persistent disruption. The knowledge leak poses a confidentiality threat, significantly for customers conducting personal calls in public areas.
The attacker can repeatedly set off the reminiscence leak with out the consumer noticing. Conversely, the Denial of Service assault disrupts availability. As soon as the firmware crashes, the earbuds change into unresponsive and disconnect from the audio supply, in accordance with the CERT/CC word.
To revive performance, the consumer should bodily place the earbuds again into their charging case to provoke a reset, creating a big nuisance if the assault is automated and repeated.
As of the disclosure of those findings, Xiaomi has not supplied an announcement relating to a firmware patch or particular remediation plans. The vulnerabilities have been credited to researchers Choongin Lee, Jiwoong Ryu, and Heejo Lee.
Till a firmware replace addresses the improper bounds-checking and resource-management points, customers are suggested to disable Bluetooth on their cellular gadgets when not actively utilizing their earbuds, particularly in high-density public environments the place the danger of native RF exploitation is highest.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
