Apple has released a firmware update for its Beats Studio Buds wireless earbuds to address a significant security vulnerability that could allow nearby attackers to eavesdrop on users. This flaw, identified as CVE-2025-20701 with a CVSS score of 8.8, involves improper authorization in the Airoha Bluetooth audio SDK, enabling unauthorized pairing of Bluetooth audio devices without user consent.
Exploiting this vulnerability could permit remote privilege escalation without requiring additional execution privileges or user interaction. Apple has resolved this issue in Beats Firmware Update 1B211. According to Apple’s advisory, an attacker within Bluetooth range could potentially listen through the microphone of a device that is actively seeking pair requests but not yet paired.
The vulnerability was initially reported in June 2025 by ERNW GmbH researchers Dennis Heinze and Frieder Steinmetz during the TROOPERS security conference in Germany. They highlighted this flaw alongside two other vulnerabilities in Airoha SoCs (CVE-2025-20700 and CVE-2025-20702). Similar patches were released by Jabra in December 2025.
The researchers noted that these vulnerabilities could allow attackers to fully control the headphones via Bluetooth without requiring authentication or pairing. The attacks could be executed over Bluetooth BR/EDR or Bluetooth Low Energy (BLE), with proximity being the only prerequisite. This access could enable reading and writing to the device’s RAM and flash memory, potentially compromising established trust relationships with paired devices like smartphones.
In a related development, Paradigm Shift disclosed a new iPhone SecureROM vulnerability affecting Apple’s A12 and A13 chips, along with a proof-of-concept exploit named ‘usbliter8.’ This exploit leverages a hardware bug in the USB controller and a configuration flaw in the device firmware. Since these vulnerabilities reside in immutable code, affected users are advised that upgrading to newer hardware is the most effective mitigation.
The exploit operates by exploiting a flaw in the USB controller within Apple SoCs. The controller uses a memory buffer to store SETUP and OUT packets at the start of data transfer. Researchers found that it’s possible to trigger a buffer underflow by exploiting the controller’s acceptance of smaller packets, allowing for malicious code injection and execution under certain conditions.
Paradigm Shift noted that this issue likely originates from the USB controller hardware itself, not Apple’s software. The A11 chip is not susceptible, while A12 and A13 chips are confirmed to be vulnerable. The A11 USB driver manually resets the DMA address after each packet, whereas A12 and A13 do not, allowing for potential exploitation. In contrast, A14 and later generations configure the DART correctly in SecureROM, rendering the vulnerability unexploitable.
These developments underscore the critical importance of timely firmware updates and hardware upgrades to maintain device security. Users of Beats Studio Buds should ensure their devices are updated to Firmware 1B211 to protect against potential eavesdropping attacks. Additionally, iPhone users with A12 and A13 chips should be aware of the SecureROM vulnerability and consider upgrading to newer hardware to mitigate this unpatchable exploit.
