According to ERNW, three vulnerabilities have been identified in Airoha Systems on a Chip (SoCs) that are widely used in True Wireless Stereo (TWS) headphones.
The problems affect at least 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel. The list of vulnerable products includes speakers, headphones, earbuds, and wireless microphones.
The vulnerabilities aren’t critical, and to exploit them, an attacker must be within the Bluetooth range of the target device; however, they can be used to hijack the vulnerable product, thus, giving the attacker access to victim’s call history and contacts.
The vulnerabilities were listed under the following CVE numbers:
- CVE-2025-20700 (CVSS score 6.7): Missing Authentication for GATT Services;
- CVE-2025-20701 (CVSS score 6.7): Missing Authentication for Bluetooth BR/EDR; and
- CVE-2025-20702 (CVSS score 7.5): Critical Capabilities of a Custom Protocol.
At this year’s TROOPERS Conference, ERNW researchers reported that they have already produced a PoC exploit making it possible to read currently playing media content from vulnerable headphones.
Other possible attack scenarios are much more severe: an attacker can establish a Bluetooth HFP connection to a vulnerable device and listen to what its microphone is currently recording; while the Bluetooth Hands-Free Profile (HFP) can be used to issue commands to the vulnerable mobile phone.
“We demonstrated the full attack chain, starting with the extraction of Bluetooth link keys from the headphones’ flash memory. These keys were then used to impersonate the headphones to a previously paired phone and to trigger a call to an arbitrary number… The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls,” — ERNW Enno Rey Netzwerke GmbH.
A call initiated by an attacker can result in successful eavesdropping on conversations and sounds within earshot of the device’s microphone.
Worse, the firmware of a vulnerable device could be rewritten to gain remote code execution, which opens the way for a wormable exploit that can spread to other gadgets.
Fortunately, the delivery of such attacks in the real world would require advanced technical knowledge and skills.
Airoha developers have already released an updated SDK fixing the three identified vulnerabilities, and device manufacturers started developing and shipping patches for their products. However, according to Heise Online, the latest firmware updates for approximately 50% of vulnerable devices are dated May 27, 2025 (or even earlier); while the updated Airoha SDK was released only on June 4, 2025.