**Apple** has released a firmware update for its **Beats Studio Buds** wireless earbuds, patching a critical vulnerability that could have enabled unauthorized eavesdropping. Tracked as **CVE-2025-20701** (CVSS score: 8.8), this high-severity flaw stemmed from an incorrect authorization issue within the **Airoha Bluetooth audio SDK**. This allowed a Bluetooth audio device to pair without explicit user consent. Successful exploitation could have led to remote escalation of privilege, requiring no additional execution privileges or user interaction. The fix is included in **Beats Firmware Update 1B211**. "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests," **Apple** stated in its advisory. ### Origins of the Eavesdropping Flaw Details of this vulnerability first surfaced in June 2025. Researchers Dennis Heinze and Frieder Steinmetz from **ERNW GmbH** presented it alongside two other flaws (**CVE-2025-20700** and **CVE-2025-20702**) in **Airoha SoCs** at the **TROOPERS** security conference. Similar patches were subsequently released by **Jabra** in December 2025. At the time, the researchers noted, "In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required." They further explained, "The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash." This access could facilitate hijacking trust relationships with paired devices, such as a user's phone. ### New Unpatchable Exploit Targets Apple A12 and A13 Chips Coinciding with the **Beats** patch, cybersecurity firm **Paradigm Shift** disclosed a novel **SecureROM** (or **BootROM**) vulnerability affecting **Apple's A12** and **A13** chips. They also released a proof-of-concept (PoC) exploit named **usbliter8**. "The exploit leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware," **Paradigm Shift** explained. Due to its residence in immutable code, the most effective mitigation for affected users is migrating to newer hardware. The **usbliter8** exploit exploits a flaw in the USB controller embedded within **Apple SoCs**. The controller uses a memory buffer for **SETUP** and **OUT** packets during data transfer. Researchers discovered that by sending smaller packets, they could trigger a buffer underflow primitive, enabling malicious code injection and execution. **Paradigm Shift** suggests the issue is likely a hardware-level defect in the USB controller itself, not a software bug. While the **A11** chip is not vulnerable, **A12** and **A13** are confirmed susceptible. **A14** and later generations appear to configure the **DART** (Device Address Resolution Table) correctly in **SecureROM**, making the vulnerability unexploitable on those chips. This new exploit is comparable to **checkm8**, a well-known public **BootROM** exploit that impacted **iOS** devices from the **iPhone 4s** (A5 chip) up to the **iPhone X** (A11 chip). "The usbliter8 exploit demonstrates that even on more recent SecureROM generations, including those protected by **Pointer Authentication**, subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust," **Paradigm Shift** concluded. "The security of the BootROM is critical: vulnerabilities at this level can compromise the integrity of the entire device. Although usbliter8 doesn't affect **SEP** itself, it opens up wider attack vectors to compromise the **Secure Enclave**."