Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.

The vulnerability, CVE-2025-20701, allowed improper authentication in the firmware running on the Bluetooth-related chips, enabling people within signal range to impersonate devices that had previously been paired with the earbuds. The researchers demonstrated this in a series of end-to-end attacks that allowed them to eavesdrop on conversations or sounds within earshot of the phone microphone.

“Impact: An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,” Apple said in a Tuesday security advisory. The fix is contained in Beats Firmware Update 1B211, which is delivered automatically while headphones are paired with and within Bluetooth range of a user’s iPhone, iPad, or Mac. Users can check their firmware version by going to Settings on their device, navigating to Bluetooth, and tapping the info button next to the headphones.

Carrying a severity rating of 8.8 out of 10, CVE-2025-20701 was one of three vulnerabilities resulting from last year’s disclosure by researchers Dennis Heinze and Frieder Steinmetz of security firm Insinuator about chips made by Airoha Systems. In response, Airoha released an updated software development kit to affected hardware sellers. Apple’s incorporation of the patch into the Beats Studio Buds came the same week that Jabra, another affected headphone manufacturer, also announced patched versions. According to this article from Ecoustics, manufacturers Bose and JBL have released statements saying their devices have also been updated to incorporate the fixes.

Security firm Sentinel One has a deeper dive into CVE-2025-20701 here.

Heinze and Steinmetz said last year that the full chain of attacks gave attackers the ability to do other malicious things, including retrieving call history and contacts, and even calling arbitrary numbers. Many of those capabilities are dependent on the specific devices being paired, since the functionality built into them differs from platform to platform.

Devices affected by the Airoha vulnerabilities are by no means alone. In January, researchers disclosed WhisperPair, a series of vulnerabilities that allows an attacker to hijack Bluetooth devices connected through Google Fast Pair, a proprietary protocol belonging to the company. Besides eavesdropping, attackers can exploit the WhisperPair flaws to geolocate devices. The vulnerabilities affect more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus, and Google itself.

There are few, if any, reports of Bluetooth vulnerabilities like these being actively exploited in the wild. The complexity of such attacks is often high, and an attacker has to continually stay within Bluetooth range of a target while utilizing the exploit. People who think they may be targeted by such attacks should turn off Bluetooth in devices whenever they’re not needed, and remain aware of the risks when Bluetooth is enabled.