Apple has released security updates for the Beats Studio Buds after a high-severity Bluetooth flaw was found that could let an attacker in range listen through the earbuds’ microphone before pairing, according to an Apple advisory.
KEY FACTS
- Flaw CVE-2025-20701 affects the Beats Studio Buds wireless earbuds.
- Impact An attacker within Bluetooth range could listen through the microphone of a device that is not yet paired and is seeking pair requests.
- Fix Apple addressed the issue in Beats Firmware Update 1B211.
- Discovery Dennis Heinze and Frieder Steinmetz of ERNW GmbH found the issue in Airoha system-on-chip components.
The advisory said the firmware update will be delivered automatically when the headphones are paired and within Bluetooth range of an iPhone, iPad or Mac. Users can check the installed firmware in Bluetooth settings by tapping the info button next to the headphones.
The disclosure said the bug stems from a missing authentication weakness in Bluetooth BR/EDR radio code. The researchers said they also built a proof-of-concept exploit that could initiate a call and eavesdrop on conversations within earshot of the targeted phone.
They said the issue can be chained with two other vulnerabilities, CVE-2025-20700 and CVE-2025-20702, to issue commands to a phone after hijacking the connection between the phone and a paired Bluetooth audio device. The researchers also said attackers could read and write device memory and, in some cases, retrieve call history and contacts.
They added that real attacks are complex and would likely target high-value victims because they require technical skill and physical proximity. The range of possible commands depends on the mobile operating system, although major platforms support at least call initiation and call reception.
WHY IT MATTERS
The flaw shows how Bluetooth devices can expose nearby users to audio surveillance if authentication is missing. The fix reduces the risk for affected Beats Studio Buds owners, although devices must still receive the updated firmware.