APPLE has released a firmware update for its Beats Studio Buds to close a microphone eavesdropping flaw tracked as CVE‑2025‑20701. The flaw let an attacker within Bluetooth range hijack the earbuds’ microphone and listen to nearby conversations without the user’s knowledge. Apple pushed the patch automatically to devices paired with iPhones, iPads or Macs, urging users to confirm the update. Owners can verify the version number in the Bluetooth settings menu to ensure the fix is applied.
The vulnerability stemmed from improper authentication in the Bluetooth firmware supplied by Airoha Systems, a chip vendor whose components appear in many audio accessories. Exploiting the flaw required only that the attacker be within radio range and able to send a malformed pairing request, after which the earbuds would accept a rogue connection and stream microphone data. The issue received a CVSS score of 8.8, reflecting its high impact and low attack complexity.
Similar weaknesses have been found in products from Jabra, Bose and JBL, all of which have issued fixes as reported by The Hacker News. This highlights the shared risk that arises when multiple brands rely on the same underlying silicon.
Apple’s advisory notes that no active exploitation has been observed in the wild, but the nature of the bug means that a determined attacker could compromise privacy in public spaces such as cafes or offices. The flaw did not require any user interaction beyond the earbuds being powered on and discoverable. Researchers who reported the issue said the root cause was a missing validation step in the link‑key exchange process during Bluetooth pairing according to Ars Technica. Users should remain wary of unexpected Bluetooth prompts and avoid accepting pairings from unfamiliar devices.
The disclosure fits into a wider trend of Bluetooth chip vulnerabilities uncovered by security researchers over the past year, with multiple vendors rushing to patch similar logic errors. While the Beats Studio Buds fix addresses the specific CVE, the underlying issue highlights how shared component code can propagate risk across brands. Users of other Airoha‑based devices should verify whether their manufacturers have published updates. Staying informed about vendor advisories helps prevent the inadvertent use of unpatched hardware.
Defenders should first confirm that their Beats Studio Buds are running the latest firmware version, which can be viewed in the Bluetooth settings menu of an iOS or macOS device. If the version number does not match the one listed on Apple’s support page, they should reconnect the earbuds to a trusted source and allow the update to download. Keeping Bluetooth disabled when the earbuds are not in use reduces the window of exposure. Additionally, administrators can enforce corporate policies that block pairing with unknown peripherals and monitor Bluetooth logs for unexpected connections.
Regularly reviewing vendor security advisories and applying patches as soon as they are released remains the most effective defence against this class of flaw. Staying current with updates helps mitigate the risk of silent eavesdropping through seemingly benign wireless accessories. Users are encouraged to treat firmware updates as a routine part of device hygiene rather than an optional extra.