Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.
The vulnerability, tracked as CVE-2025-20701 (CVSS score: 8.8), refers to a case of incorrect authorization impacting the Airoha Bluetooth audio SDK that makes it possible to pair a Bluetooth audio device without user consent.
Successful exploitation of the flaw could lead to remote escalation of privilege without requiring any additional execution privileges or user interaction. The issue has been addressed in Beats Firmware Update 1B211.
“An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,” Apple said in an advisory released this week.
Details of the vulnerability first emerged in June 2025 when ERNW GmbH researchers Dennis Heinze and Frieder Steinmetz flagged it alongside two other flaws in Airoha SoCs (CVE-2025-20700 and CVE-2025-20702) at the TROOPERS security conference in Germany. Similar patches were released by Jabra in December 2025.
“In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required,” the researchers noted at the time. “The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash.”
“These capabilities also allow attackers to hijack established trust relationships with other devices, such as the phone paired to the headphones. These capabilities allow for multiple attack scenarios.”
New Unpatchable Exploit Discovered in Apple’s A12 and A13 Chips
The disclosure comes as Paradigm Shift disclosed a novel iPhone SecureROM (aka BootROM) vulnerability impacting Apple’s A12 and A13 chips, in addition to a proof-of-concept (PoC) exploit codenamed usbliter8.
“The exploit leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware,” the European cybersecurity company said. “As these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation.”
At a high level, the exploit works by leveraging a flaw in the USB controller built into Apple SoCs. The controller uses a memory buffer to store SETUP and OUT packets transmitted at the start of data transfer. The research found that it’s possible to trigger a buffer underflow primitive by taking advantage of the fact that the controller also accepts smaller packets, effectively allowing for malicious code injection and execution under certain conditions.
The problem, Paradigm Shift noted, is likely rooted in the USB controller hardware itself, not in Apple’s software. The A11 chip is not susceptible to the vulnerability, while A12 and A13 are confirmed to be susceptible.
“The difference is that the A11 USB driver manually resets the DMA address to its initial value after receiving each packet,” the company said. “On A12 and A13, USB DART is configured in bypass mode, allowing us to overwrite SRAM data freely. In contrast, A14 and later generations appear to configure the DART correctly in SecureROM, making the vulnerability unexploitable.”
The usbliter8 exploit is comparable to checkm8, the publicly known BootROM exploit of this kind that impacted all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip).
“The usbliter8 exploit demonstrates that even on more recent SecureROM generations, including those protected by Pointer Authentication, subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust,” Paradigm Shift said.
“The security of the BootROM is critical: vulnerabilities at this level can compromise the integrity of the entire device. Although usbliter8 doesn’t affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave.”
