CybersecurityVulnerability Management

Apple patches Beats Studio Buds flaw that allowed eavesdropping via Bluetooth

Analyst 207||Source: BleepingComputer
Wireless earbuds sit on a neutral surface, one bud slightly askew, in a blurred tech lab setting.

"An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests," Apple explained in a Tuesday advisory.

CVE-2025-20701 and Apple’s response

Apple released security updates to patch a high-severity flaw tracked as CVE-2025-20701 that affected Beats Studio Buds wireless earbuds and could let attackers in Bluetooth range eavesdrop on conversations. The company said the vulnerability is "in open source code" and that "Apple Software is among the affected projects." Apple fixed the problem in Beats Firmware Update 1B211; the update will be delivered automatically to affected headphones when they are paired and within Bluetooth range of the user's iPhone, iPad, or Mac. Users can confirm whether the firmware has been applied from the Bluetooth settings by tapping the info button next to the headphones.

What the ERNW researchers demonstrated at TROOPERS

The flaw was discovered by Dennis Heinze and Frieder Steinmetz of ERNW GmbH and disclosed at the TROOPERS security conference in Germany one year ago. The researchers said the issue stems from a missing authentication weakness in the Bluetooth BR/EDR radio on Airoha system-on-a-chip (SoC) components. They published a proof-of-concept exploit that can initiate a call and eavesdrop on conversations within earshot of the targeted phone.

How the flaws chain together: CVE-2025-20700, 20701, 20702 and HFP abuse

ERNW reported that chaining CVE-2025-20701 with two other vulnerabilities affecting the same component (CVE-2025-20700 and CVE-2025-20702) enables an attacker to use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone after hijacking the connection between the phone and a paired Bluetooth audio device. The researchers warned that "in most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required." They emphasized that the vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE).

According to the researchers, "Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash." They also reported being able to extract Bluetooth link keys from a vulnerable device's memory and, after doing so, retrieve call history and contacts and even call an arbitrary number.

How the threat actually looks in practice

ERNW described real-world exploitation as technically sophisticated and requiring physical proximity; they wrote that "real attacks are complex to perform" and therefore "should likely target only high-value targets." Even so, the proof-of-concept shows an attacker near a victim can both listen through an unpaired earbud's microphone and, when other vulnerabilities are combined, issue phone commands via HFP. The scope of available commands depends on the mobile operating system, but the researchers noted that "all major platforms support at least initiating and receiving calls."

What this means for open-source maintainers, end users, and adversaries

  • Open-source maintainers and SoC vendors: The advisory names a vulnerability in open source code and implicates Airoha SoCs; maintainers and vendors will need to review the implicated code paths and follow through on patches to prevent similar exposes in other projects.
  • End users of Beats Studio Buds: Apple says the Beats Firmware Update 1B211 will be automatically delivered when earbuds are paired and within Bluetooth range of an iPhone, iPad, or Mac. Users can verify firmware status in Bluetooth settings by tapping the info button next to the headphones.
  • Adversaries and threat actors: ERNW’s assessment that attacks require technical sophistication and proximity suggests exploiters will weigh effort versus value; the proof-of-concept demonstrates the practical impact—eavesdropping, extracting link keys, and initiating calls—if high-value targets are chosen.

Apple’s patch closes a specific, demonstrable path for Bluetooth-based eavesdropping on Beats Studio Buds, but the researchers’ findings underline how flaws in open-source components and SoC firmware can be chained into powerful attacks. For owners of affected headphones, the immediate, verifiable step is confirming that Beats Firmware Update 1B211 is applied; for developers and vendors, the incident reinforces scrutiny of shared code running in Bluetooth radios and SoC stacks.

Original story

AppleEmerging ThreatsBluetooth EavesdroppingCVE-2025-20701Beats Studio BudsFirmware UpdateWireless EarbudsVulnerability Patch
Related Intelligence

Continue Reading

Dusty computer servers and tangled cables in a dimly lit, abandoned server room.

Hidden AI Agents Expose Access Risks in Corporate Networks

Can your security team instantly identify who authorized an autonomous AI agent to access your company's core intellectual property? The uncomfortable truth is that most enterprises have no clear answer, leaving them vulnerable to hidden AI access risks.

Analyst 207
Dimly lit underground market scene with old and new tech, hooded figures in background.

Cybercriminals Worry AI Tools Will Disrupt Their Illicit Trade

Cybercriminals are getting anxious about the impact of AI tools on their illicit trade, and experts warn that now is the time for organizations to step up their cyber hygiene game with measures like timely patching, multifactor authentication, and passkey use. By prioritizing these defenses, businesses can stay ahead of emerging threats, including AI-assisted attacks.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit data center with technicians working in the background.

F5 Dispatched Patches for Critical NGINX Flaws

F5 has urgently released patches to fix two critical vulnerabilities in NGINX modules that can be exploited by remote attackers to cause denial-of-service or even execute remote code. Admins are advised to install the updates ASAP to protect NGINX Plus, Open Source, Gateway Fabric, and Instance Manager from potential attacks.

Analyst 207
Server equipment in a data center with a patch cord plugged in.

Microsoft Resolves Windows Server 2016 Security Update Installation Failures

Microsoft has fixed a frustrating issue that caused June's security update to fail installation on some Windows Server 2016 devices, resolving the error code 0x80070002 (ERROR_FILE_NOT_FOUND) problem that had administrators scratching their heads. The update should now install smoothly on affected servers.

Analyst 207