Researchers have discovered multiple vulnerabilities in a widely used Bluetooth chipset, putting over two dozen audio devices from major brands such as Bose, Sony, Jabra, JBL, Marshall, and others at risk.
The flaws could allow attackers to eavesdrop on conversations or steal sensitive data when near a target.
Disclosed at the TROOPERS security conference in Germany, cybersecurity firm ERNW revealed three vulnerabilities in Airoha Bluetooth chips, commonly found in True Wireless Stereo (TWS) earbuds and other audio devices. A total of 29 products across ten vendors were confirmed affected. The impacted devices include headphones, earbuds, speakers, and wireless microphones.
The vulnerabilities, identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, range from medium to high severity and stem from missing authentication in both Bluetooth Low Energy (BLE) and Bluetooth Classic protocols. In some cases, attackers could hijack the Bluetooth connection to issue commands, retrieve call history, access contacts, or even initiate calls. Researchers also demonstrated the ability to eavesdrop using the Hands-Free Profile (HFP).
While the attacks require advanced technical skills and close physical proximity, the threat is considered serious for high-value targets like diplomats, journalists, or executives. Airoha has released a patched SDK, but reports suggest that many affected devices have not yet received firmware updates.
Users are advised to install any available updates promptly, disable Bluetooth when not in use, and avoid pairing with unknown devices.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
