Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone

Apple patches Beats Studio Buds with a fix for a high-severity Bluetooth flaw that lets a nearby attacker silently pair with the earbuds and listen through the microphone, no user action required.

For SMBs where wireless earbuds are standard kit on sales calls, in open offices, and across hybrid work setups, this flaw is a direct reminder that consumer audio hardware carries real security risk.

Apple has released a firmware update for Beats Studio Buds to address CVE-2025-20701, a vulnerability carrying a CVSS score of 8.8. The flaw is classified as an incorrect authorization issue inside the Airoha Bluetooth audio SDK, the software layer responsible for wireless pairing and audio transmission in the earbuds.

The practical consequence is serious. A nearby attacker could pair a Bluetooth audio device to a target’s earbuds without the user’s knowledge or consent. Once paired, the attacker gains microphone access, turning a familiar piece of office hardware into a surveillance tool.

No user interaction is required. There is no link to click, no attachment to open, and no warning prompt to dismiss. The attack operates entirely at the Bluetooth protocol layer, which means even security-conscious employees would have no way to detect or prevent it on an unpatched device.

Proximity is the key constraint. Bluetooth range varies by environment and device generation, so IT teams should not assume that only people sitting directly beside an employee represent a threat. A shared office building, a hotel lobby during a conference, a coffee shop, or a parking lot adjacent to your workplace can all put an adversary within operational range.

Peripheral firmware is a consistently underestimated attack surface for SMBs. Laptops get patched. Phones get patched. MDM platforms cover mobile devices. Wireless earbuds, headsets, and other Bluetooth accessories almost never appear on a formal patch management schedule, yet they operate on the same Bluetooth radio environment as every managed device in the workspace.

The Airoha SDK connection deserves specific attention. Airoha Technology supplies Bluetooth audio chips and associated software to a range of audio hardware manufacturers. When a vulnerability is found in a shared SDK rather than one product’s proprietary firmware, the affected device count can extend well beyond the product named in the initial disclosure. Assuming the risk is confined to Beats Studio Buds alone is a reasonable starting point, not a conclusion.

For IT managers, the immediate action is clear. Confirm that any Beats Studio Buds used by employees have received the latest firmware update from Apple. Beats products typically update automatically when connected to an iPhone or Mac running current software, but automatic does not mean guaranteed. Manual verification is worth the time.

Employees using personal earbuds for work calls, video conferences, or any voice communication involving company information create a visibility gap. BYOD policies that permit personal audio devices on business calls place patch responsibility entirely on the individual employee. That gap needs to be addressed with a direct communication, not an assumption.

This vulnerability fits a recognizable pattern in Bluetooth security. The Bluetooth stack has historically been a productive target for proximity-based attacks because the protocol was designed with convenience as the primary goal, and authorization mechanisms have repeatedly proven weaker than expected under scrutiny. CVE-2025-20701 is a current example of a recurring category of risk, not an isolated anomaly.

Microphone access is the detail that should sharpen focus for any business that handles sensitive conversations. Executive calls, HR discussions, legal consultations, client negotiations: if any of those happen while someone is wearing compromised earbuds in a location where an adversary could be nearby, the exposure is not hypothetical.

One practical interim control is a policy around Bluetooth device use during sensitive meetings. Wired connections or disabling Bluetooth entirely for those sessions removes the attack surface for the duration of the conversation. This is not a permanent substitute for patching, but it is a meaningful risk reduction measure while patch deployment is confirmed across a workforce.

Asset inventories should include peripheral devices. If your organization cannot identify which Bluetooth audio devices employees are using for work, you cannot determine whether those devices are patched. A lightweight BYOD audit, even a self-reported inventory, gives IT a baseline to act from.

Apple’s response in issuing a patch and publishing a tracked CVE with a CVSS score gives IT teams the information they need to prioritize the update. The remaining gap is operational. Patch availability does not equal patch deployment, and peripheral firmware requires deliberate follow-through rather than assumption.

TeckPath Perspective: Peripheral devices like wireless earbuds sit outside most SMB patch management programs, and CVE-2025-20701 is a concrete example of why that gap needs to close before an attacker closes it for you.

The devices your team barely thinks about are exactly the ones an attacker will target first.