What are the specific CVE numbers and severity scores for these vulnerabilities?

Three vulnerabilities were identified: CVE-2025-20700 (CVSS score varying from 6.7 to 8.8) for Missing Authentication for GATT Services, CVE-2025-20701 (CVSS score varying from 6.7 to 8.8) for Missing Authentication for Bluetooth BR/EDR, and CVE-2025-20702 (CVSS score varying from 7.5 to 9.6) for Critical Capabilities of a Custom Protocol.

Which popular Bluetooth device brands and models are affected?

Confirmed affected devices include numerous Sony models (WH-1000XM4, WH-1000XM5, WH-1000XM6, WF-1000XM3, WF-1000XM4, WF-1000XM5, and others), Marshall devices (Woburn III, Stanmore III, Acton III, Major IV, Major V, Minor IV, Motif II), JBL Live Buds 3 and Endurance Race 2, Bose QuietComfort Earbuds, Jabra Elite 8 Active, Beyerdynamic Amiron 300, and several other brands including MoerLabs, Teufel, Jlab, and Xiaomi models.

Who is Airoha and why are so many devices affected?

Airoha is a Taiwanese manufacturer and major supplier of Bluetooth SoCs for the True Wireless Stereo (TWS) market. The company's chips are widely used across the industry, and many device manufacturers may be unaware they are using Airoha components due to complex supply chains and outsourced development processes.

When were these vulnerabilities discovered and disclosed?

The vulnerabilities were first presented at the TROOPERS 2025 security conference in Germany on June 26, 2025. They were responsibly disclosed to Airoha on March 25, 2025, but the company did not respond until May 27, 2025. Airoha provided device manufacturers with an updated SDK containing security mitigations on June 4, 2025.

How many devices are potentially affected by these vulnerabilities?

ERNW researchers estimate that over 100 different device types could be affected, potentially impacting millions of Bluetooth devices worldwide. However, comprehensive testing of all suspected vulnerable models has not been completed due to the opaque nature of supply chains.

Why might device manufacturers be unaware their products are vulnerable?

Many device manufacturers may be unaware they are using vulnerable Airoha components due to complex supply chains and outsourced development processes. The fragmented nature of the electronics supply chain makes it difficult to track which components are used in final products.

Advisory

Researchers report Bluetooth flaws that enable remote eavesdropping, device hijacking

Q: What critical vulnerabilities were discovered in Bluetooth devices?

Security researchers from German cybersecurity firm ERNW discovered a series of critical vulnerabilities affecting millions of Bluetooth headphones, earbuds, speakers, and wireless microphones worldwide. The flaws impact devices using Airoha system-on-chip (SoC) technology and allow sophisticated attackers to remotely eavesdrop on conversations, hijack device connections, and access sensitive data without authentication or pairing requirements.

Q: What can attackers do if they exploit these vulnerabilities?

Attackers within Bluetooth range can fully compromise affected devices without user interaction, pairing, or authentication. They can read and write device RAM and flash memory, hijack trust relationships with paired smartphones, activate microphones for eavesdropping, initiate or intercept phone calls, extract contact lists and call histories from connected devices, and effectively transform audio devices into remote surveillance tools.

Q: What are the attack requirements and limitations?

Successful exploitation requires significant technical expertise and physical proximity to the target device (approximately 10 meters for Bluetooth range). The attacks are not feasible over the internet and would primarily pose risks to high-value targets such as journalists, diplomats, political dissidents, celebrities, and employees in security-critical industries.

Q: Are firmware patches available for affected devices?

As of June 26, 2025, no firmware updates addressing these vulnerabilities are publicly available for end users. The patching process is complicated by the fragmented supply chain, and many device manufacturers are still developing and testing firmware updates based on Airoha's corrected SDK.

published: June 30, 2025

Take action: Be aware that your Bluetooth headphones and speakers from Sony, Marshall, JBL, Bose or other vendors, may be critically vulnerable to remote eavesdropping attacks. There is no immediate patch, so check regularly for firmware updates become available and in the meantime avoid using them (or even bringing them into) in sensitive environments. If you are journalist, diplomat, or work in sensitive businesses, consider not using at all or regularly unpairing bluetooth devices from your phone when not needed.

Learn More

Security researchers from the German cybersecurity firm ERNW are reporting a series of critical vulnerabilities affecting millions of Bluetooth headphones, earbuds, speakers, and wireless microphones worldwide.

The flaws impact devices using Airoha system-on-chip (SoC) technology and apparently allow sophisticated attackers to remotely eavesdrop on conversations, hijack device connections, and access sensitive data without any authentication or pairing requirements.

Airoha is a Taiwanese manufacturer and a major supplier of Bluetooth SoCs for the True Wireless Stereo (TWS) market. The company's chips are widely used across the industry. Many device manufacturers may be unaware they are using Airoha components due to complex supply chains and outsourced development processes.

The vulnerabilities were first presented at the TROOPERS 2025 security conference in Germany on June 26, 2025:

CVE-2025-20700 (CVSS score varying from 6.7 to 8.8) - Missing Authentication for GATT Services
CVE-2025-20701 (CVSS score varying from 6.7 to 8.8) - Missing Authentication for Bluetooth BR/EDR,
CVE-2025-20702 (CVSS score varying from 7.5 to 9.6) - Critical Capabilities of a Custom Protocol

The flaws stem from a proprietary debugging protocol implemented in Airoha's Bluetooth reference software development kits (SDKs), which has no authentication and is exposed via both Bluetooth Low Energy (BLE) and Bluetooth Classic (BR/EDR) connections.

The vulnerabilities enable attackers within Bluetooth range (approximately 10 meters) to fully compromise affected devices without requiring any user interaction, pairing, or authentication. Malicious actors can read and write device RAM and flash memory, hijack trust relationships with paired smartphones, activate microphones for eavesdropping, initiate or intercept phone calls, and extract contact lists and call histories from connected devices.

ERNW researchers demonstrated proof-of-concept attacks showing how the vulnerabilities could be used to impersonate headphones to paired smartphones, trigger unauthorized calls, and effectively transform audio devices into remote surveillance tools.

Confirmed affected devices include:

Sony WH-1000XM4, WH-1000XM5, WH-1000XM6, WF-1000XM3, WF-1000XM4, WF-1000XM5, WH-CH520, WH-CH720N, WH-XB910N, WI-C100, WF-C510-GFP, WF-C500, Link Buds S, ULT Wear
Marshall Woburn III, Stanmore III, Acton III, Major IV, Major V, Minor IV, Motif II
JBL Live Buds 3, Endurance Race 2
Bose QuietComfort Earbuds
Jabra Elite 8 Active
Beyerdynamic Amiron 300
MoerLabs EchoBeatz, Teufel Airy TWS 2, Jlab Epic Air Sport ANC, EarisMax Bluetooth Auracast Sender, Xiaomi Redmi Buds 5 Pro

ERNW researchers estimate that over 100 different device types could be affected, but comprehensive testing of all suspected vulnerable models has not been completed due to the opaque nature of supply chains.

Security experts emphasize that successful exploitation requires significant technical expertise and physical proximity to the target device. The attacks are not feasible over the internet and would primarily pose risks to high-value targets such as journalists, diplomats, political dissidents, celebrities, and employees in security-critical industries.

The vulnerabilities were responsibly disclosed to Airoha on March 25, 2025, through multiple contact methods. The company did not respond until May 27, 2025, after several attempts by ERNW researchers to establish communication. Airoha provided device manufacturers with an updated SDK containing security mitigations on June 4, 2025, and manufacturers began developing patches for their products.

There is disagreement between ERNW researchers and Airoha regarding the severity classifications of the vulnerabilities. ERNW assigned critical and high-risk ratings to the flaws, but Airoha disputes these assessments, arguing that the complexity of exploitation and the requirement for physical proximity reduce the practical risk level.

As of 26th of June 2025 no firmware updates addressing these vulnerabilities are publicly available for end users. The patching process is complicated by the fragmented supply chain. Many device manufacturers are still developing and testing firmware updates based on Airoha's corrected SDK.

Security experts recommend that users of potentially affected devices to monitor for firmware updates from their device manufacturers. As interim protective measures, users should temporarily avoid using Bluetooth headphones in sensitive environments and consider removing headphone pairing from smartphones when not needed.

Researchers report Bluetooth flaws that enable remote eavesdropping, device hijacking

Read More
Foxit Reader high severity vulnerability allows code execution
Critical VMware vulnerabilities enable Virtual Machine escape, host …
Windows kernel flaw actively exploited
Critical Zero-Click Vulnerability Reported in Telegram
Atlas VPN unpatched vulnerability exposes users' real IP …