Security researchers have disclosed critical vulnerabilities affecting widely used Bluetooth headphones and earbuds that could allow attackers to eavesdrop on conversations, steal sensitive data, and even hijack connected smartphones.
The flaws, identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, impact devices powered by Airoha Bluetooth System-on-Chips (SoCs), which are used by major manufacturers including Sony, Bose, JBL, Marshall, and Jabra.
| CVE ID | Vulnerability Name | CVSS Score |
|---|---|---|
| CVE-2025-20700 | Missing Authentication (BLE) | 8.8 |
| CVE-2025-20701 | Missing Authentication (Classic) | 8.8 |
| CVE-2025-20702 | RACE Protocol RCE / Arbitrary Read | 9.6 |
The vulnerabilities were initially disclosed in June 2025, giving vendors time to develop patches.
However, six months later, many devices remain unpatched, prompting researchers to release full technical details alongside a white paper and the RACE Toolkit, a tool enabling users and security professionals to verify if their devices are vulnerable.
Airoha is a major supplier of Bluetooth SoCs, particularly for True Wireless Stereo (TWS) earbuds. The company provides reference designs and SDK implementations that manufacturers integrate into their products.
ERNW researchers discovered that Airoha-based devices expose a custom protocol called RACE (Remote Access Control Engine) over multiple interfaces, including Bluetooth Low Energy, Bluetooth Classic, and USB HID connections.
The RACE protocol was originally intended for factory debugging and firmware updates, offering powerful capabilities such as reading and writing arbitrary locations in both flash memory and RAM.
The first vulnerability, CVE-2025-20700, involves missing authentication for GATT services over Bluetooth Low Energy. Attackers can discover and connect to vulnerable headphones within Bluetooth range without pairing, gaining silent access to the RACE protocol. This connection typically occurs without user notification, making the attack completely covert.
CVE-2025-20701 addresses missing authentication for Bluetooth Classic connections. While these connections are sometimes more visible and may interrupt audio streams, unauthenticated access allows attackers to establish two-way audio connections, potentially enabling eavesdropping through the device’s microphone using the Hands-Free Profile (HfP).
The third flaw, CVE-2025-20702, concerns the critical capabilities exposed through the RACE protocol itself.
Specific commands allow attackers to retrieve device information, read flash memory pages, perform arbitrary read/write operations on RAM, and obtain the device’s Bluetooth Classic address. These capabilities enable attackers to alter devices and extract sensitive configuration data permanently.
From Headphones to Smartphones
The most severe impact occurs when attackers chain these vulnerabilities to compromise connected smartphones. The attack sequence begins with an attacker connecting to nearby headphones via BLE or Bluetooth Classic, then using the RACE protocol to dump the device’s flash memory.
This memory contains a connection table with paired device information, including the cryptographic Link Key used for mutual authentication between the headphones and phone.
Armed with this Link Key, attackers can impersonate the trusted headphones and connect to the victim’s smartphone from a privileged position.
This enables multiple attack vectors, including extracting the victim’s phone number and contacts, triggering voice assistants like Siri or Google Assistant to send messages or make calls, hijacking incoming calls, and establishing eavesdropping connections using the phone’s internal microphone, according to ERNW research.
Researchers demonstrated proof-of-concept attacks that successfully compromised WhatsApp and Amazon accounts, highlighting the real-world severity of these vulnerabilities.
The researchers confirmed vulnerabilities across numerous popular devices, though the complete list of affected products remains unclear.
Verified vulnerable devices include multiple Sony WH and WF series headphones (including the flagship WH-1000XM5 and WF-1000XM5), Bose QuietComfort Earbuds, JBL Live Buds 3, Marshall MAJOR V and MINOR IV, and various other models from Beyerdynamic, Jabra, and Teufel.
Some manufacturers have released firmware updates addressing these issues. Jabra stands out for transparency, publicly listing affected devices in their security center and mentioning CVE numbers in firmware release notes. Marshall and Beyerdynamic have also issued updates, though information availability varies significantly across vendors.
Users should immediately update their Bluetooth headphones through manufacturer apps or websites. High-value targets such as journalists, diplomats, and politicians should consider switching to wired headphones to eliminate Bluetooth-based attack vectors.
Users should also review and remove unused paired devices from their phones to minimize the number of potentially compromised Link Keys.
Manufacturers must apply Airoha’s SDK patches immediately and conduct thorough security assessments before releasing products. Following established Bluetooth security testing methodologies could prevent similar vulnerabilities in future devices.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
