Many earbuds, headphones, wireless microphones, and speakers are affected.
Highly sophisticated threat actors could eavesdrop or pilfer sensitive data from several audio devices using Airoha systems on a chip impacted by a trio of flaws.
Although the vulnerabilities have been addressed, 29 earbuds, headphones, wireless microphones, and speakers are affected by the issues, reports BleepingComputer.
This includes the medium severity missing GATT service authentication vulnerability, tracked as CVE-2025-20700, the medium severity missing Bluetooth BR/EDR bug, tracked as CVE-2025-20701, and the high-severity custom protocol flaw, tracked as CVE-2025-20702 — which could be exploited to take over devices' connection with mobile devices and facilitate command delivery via the Bluetooth Hands-Free Profile. This was according to ERNW researchers who presented a proof-of-concept exploit at the TROOPERS security conference in Germany.
Researchers said that the PoC exploit enabled phone calls to arbitrary numbers and the compromise of call histories and contacts, while potentially allowing firmware modification for remote code execution. However, significant technical expertise and physical proximity are necessary for the attack to be effective, researchers added.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
