Beats Studio Buds Firmware Patch Closes Bluetooth Flaw That Could Turn Earbuds Into a Listening Device
A CVSS 8.8 authorization bug in the Airoha Bluetooth audio SDK let any attacker within radio range pair with Studio Buds without the owner's knowledge — and potentially capture microphone audio.

Apple has shipped a firmware update for Beats Studio Buds and Studio Buds+ that closes a critical Bluetooth vulnerability capable of turning the earbuds into a covert listening post.
What Happened
The flaw, tracked as CVE-2025-20701 and rated 8.8 on the CVSS scale, lives not in Apple's own code but in the Airoha Bluetooth audio SDK — a chipset-vendor software layer embedded across a wide range of consumer audio hardware from multiple brands. The root cause is incorrect authorization handling during the Bluetooth pairing sequence. Put simply: the device accepts a pairing request it should reject.
For Beats Studio Buds owners, that is a significant problem. Both the Studio Buds and Studio Buds+ include onboard microphones for phone calls and voice-assistant interaction. An attacker who exploits this vulnerability gains audio access — meaning anything said near those earbuds could be captured.
The Attack Scenario
Proximity is the hard constraint here. Standard Bluetooth Low Energy and Classic connections reach roughly 10 meters in real-world consumer conditions. A determined attacker with directional antenna hardware can stretch that range, but this is not a remote-code-execution flaw that operates across the internet. The threat model is physical: a crowded café, an open-plan office, a conference room, an airport gate.
As of publication, there is no public evidence of active exploitation. Apple has not publicly credited a researcher for the discovery, and the advisory is terse. What is confirmed: unauthorized pairing is possible, and audio access follows.
The Supply-Chain Problem Underneath
This vulnerability is bigger than one product line. Security researchers at ERNW identified a broader cluster of Airoha-related issues in 2025 affecting earbuds and headphones from several manufacturers. The Airoha chipset family is the shared attack surface. When a single SDK contains an authorization flaw, every vendor that ships that SDK ships the vulnerability too — regardless of their own security practices.
Apple's Beats patch is downstream cleanup. More Airoha-linked CVEs should be expected before the year closes. The Verizon 2024 Data Breach Investigations Report noted that third-party software components remain one of the most consistent sources of exploitable vulnerability surface, and the Airoha situation is a textbook illustration of exactly that dynamic.
"Supply-chain vulnerabilities are particularly dangerous because the affected organizations often have no visibility into the third-party code running on their hardware," said a NIST National Vulnerability Database entry summary framework that tracks component-level flaws. Organizations that treat audio peripherals as low-risk accessories rarely apply structured patch management to firmware — and that gap is precisely where attackers look.
Which Devices Are Affected
Apple has confirmed the fix applies to Beats Studio Buds and Studio Buds+. The firmware update is delivered automatically through paired iOS or Android devices when the earbuds are connected and the Beats or Apple settings flow is active. Users do not manually download and install anything. That convenience, however, creates ambiguity: many people have no idea what firmware version their earbuds are running.
To verify, open your phone's Bluetooth settings, find the Studio Buds entry, and check the device information panel. Keep the buds connected to an updated phone for at least 24 to 48 hours to ensure the push completes.
What Defenders — and IT Teams — Should Take Away
The first control failure here is authorization logic in third-party component code. No organization using Airoha-chipset hardware could have prevented the vulnerability from existing, but they can control how quickly they patch it. Firmware update cycles for peripheral hardware are notoriously slow in enterprise environments because these devices rarely appear in standard asset inventories or patch-management dashboards.
Enterprises that issue Beats products as employee perks or productivity hardware should treat this exactly as they would a laptop BIOS update: confirm the patch is applied, log the firmware version, and close the ticket. That means adding audio peripherals to device inventories, not leaving them in the "consumer nuisance" category.
The second failure is awareness. Employees using affected earbuds in sensitive environments — executive meetings, legal calls, HR discussions — may not know a patch exists, let alone that their earbuds carry a microphone-access vulnerability. Security teams cannot rely on automatic push updates reaching every device in a reasonable timeframe without active communication. A one-paragraph internal advisory to affected staff costs almost nothing. Leaving people uninformed costs considerably more if an incident follows.
This is exactly the kind of threat scenario where security-awareness training earns its keep: when the risk is not a phishing link but a physical-proximity attack against a device employees consider completely harmless. Train2Secure's training programs help organizations build the situational awareness that turns everyday employees into the first line of defense — including teaching staff to recognize that the devices on their ears are part of their security posture, not outside it.
What to Do Right Now
For individual users: keep your Studio Buds connected to your phone for the next 48 hours and confirm the firmware version has updated. Avoid using the earbuds in sensitive conversations until you can verify the patch is applied.
For IT and security teams: audit which employees carry Beats Studio Buds or Studio Buds+ hardware issued through corporate programs. Add audio peripheral firmware to your patch verification checklist. Review your security standards alignment to confirm that third-party component patch management is covered under your existing frameworks.
For security leaders thinking about program investment: the Train2Secure pricing page outlines options scaled for teams of any size, including modules that cover physical-layer and Bluetooth-specific threat scenarios.
The Airoha SDK case is not closed. Other vendors using the same chipset family have not all shipped fixes. Watch for additional CVE disclosures in the coming months and apply the same patch-urgency logic to any Airoha-based audio hardware in your environment.
How This Could Have Been Prevented
- Add audio peripheral firmware to your patch management dashboard — treat earbuds and headsets as managed endpoints, not accessories.
- Brief employees who use microphone-equipped devices in sensitive settings: Bluetooth proximity attacks are real and do not require network access.
- Audit third-party hardware components for shared chipset dependencies so a single SDK vulnerability doesn't become an invisible fleet-wide exposure.
Train2Secure offers awareness modules covering physical-layer threats, device hygiene, and supply-chain risk — built for teams that need more than phishing simulations.
Start free — no card requiredSources & further reading
Frequently asked questions
What exactly does CVE-2025-20701 allow an attacker to do?
The flaw allows an attacker within Bluetooth range — typically up to 10 meters — to pair with Beats Studio Buds without the owner's consent. Because the earbuds contain microphones, a successful exploit could give the attacker access to nearby audio.
Do I need to manually install the Beats Studio Buds firmware patch?
No. The update is pushed automatically when your Studio Buds are connected to a paired iOS or Android device. Keep your earbuds connected to an updated phone for 24 to 48 hours, then verify the firmware version in your Bluetooth device settings.
Why are other brands also at risk from this vulnerability?
The bug lives in the Airoha Bluetooth audio SDK, a shared chipset-vendor codebase used by multiple audio hardware manufacturers. Any brand shipping products built on the same Airoha chip family may carry the same or related flaws until each vendor ships its own downstream patch.
Should enterprises treat this differently from a consumer software update?
Yes. Enterprises that issue Beats hardware to employees should add the device to their asset inventory, confirm the firmware update has been applied, and communicate the risk to staff who use the earbuds in sensitive environments. Standard patch management workflows should cover peripheral firmware, not just operating systems and applications.



