Researchers have disclosed three Bluetooth vulnerabilities in Airoha chipsets, widely used in wireless audio products from ten major vendors, enabling potential eavesdropping, data theft, and command injection attacks.
Uncovered by cybersecurity firm ERNW and presented at the TROOPERS conference in Germany, the flaws impact 29 devices—including headphones, earbuds, wireless mics, and speakers—from brands like Bose, Sony, Beyerdynamic, JBL, Jabra, Marshall, JLab, Teufel, EarisMax, and MoerLabs.
The Vulnerabilities
The three flaws reside in Airoha’s Bluetooth system-on-chip (SoC) firmware, specifically targeting True Wireless Stereo (TWS) functionality:
- CVE-2025-20700 (CVSS 6.7 – Medium): Missing authentication in GATT services
- CVE-2025-20701 (CVSS 6.7 – Medium): Missing authentication in Bluetooth BR/EDR
- CVE-2025-20702 (CVSS 7.5 – High): Flaws in a custom protocol that enables dangerous capabilities
Using a proof-of-concept exploit, researchers demonstrated they could:
- Read currently playing media
- Hijack Bluetooth connections
- Issue HFP (Hands-Free Profile) commands, such as initiating or answering calls
- Extract Bluetooth link keys, allowing access to call history and contacts
- Eavesdrop on phone conversations
- Potentially rewrite device firmware for remote code execution and worm-like propagation
Reading currently played song from a vulnerable Airoha device
source: ERWN