Hash: SHA256

Multiple Vulnerabilities in Bluetooth Devices

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Airoha Systems-on-Chip (SoCs)

Overview

Multiple vulnerabilities have been reported in Airoha Bluetooth firmware, which could allow an attacker to gain unauthorised access to Bluetooth audio devices, potentially eavesdrop on or manipulate audio communications, and intercept or inject commands on the targeted system.

Target Audience:

All organisations and individuals using Bluetooth devices using Airoha Systems-on-Chip (SoCs)

Impact Assessment:

Potential for eavesdropping, call hijacking, device manipulation, and full takeover through unauthorized firmware modification.

Risk Assessment:

High risk of device compromise

Description

Multiple vulnerabilities have been reported in Airoha Bluetooth firmware, which could allow an attacker within Bluetooth range to read or write device RAM/flash, invoke Hands-Free Profile (HFP) commands on a paired phone, eavesdrop on microphone audio, steal call history and contacts, and potentially deploy wormable firmware.

The vulnerabilities exist in Airoha Systems-on-Chip (SoCs) due to missing authentication in the GATT service and the Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) component, as well as a flaw in a custom protocol. An attacker could exploit these vulnerabilities by establishing connections between mobile devices and audio Bluetooth devices and by delivering commands via the Bluetooth Hands-Free Profile (HFP).

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorised access to Bluetooth audio devices, potentially eavesdrop on or manipulate audio communications, and intercept or inject commands on the targeted system.

Solution

Airoha supplied an SDK update containing firmware fixes to all device manufacturers on 4 June 2025, and each vendor is expected to release product-specific firmware updates in its next scheduled cycle.

References

ERNW Security Advisory

https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/

Bleepingcomputer

https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/

CVE Name

CVE-2025-20700

CVE-2025-20701

CVE-2025-20702

– – —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmhmnMIACgkQ3jCgcSdc

ys+RjQ//SVBLlXfrvOHabIyh5kWXKE16NjNazfw2DsouOMz4iI3Xa6i0MkeKD7rZ

YqBuYiKDSPX7Y8tlAqZQHYdFPNwoznR/lIEDdH0Bg5Jqbopf8UFdMu2HWl9jnhnl

4ambho8StqedsGacPcGgS130Thbk6uZcxeEsE/Y0KZG+KceZTm4HEk7Y7pl9cAfx

9UgG1Hs0PoPJjxwKsqgnLqkmaAdMRzmkzLNzwM1Tt4eUuQfxWNlXIE+twjj35TUa

W9io6sI+3P4U39+oH1AXXskDWLxCPjkR5ZKOdYIt6nVNwOTyy4dzf/Kkx5TDYwzz

f+OgTA71wXidx3fEQ6zcosEG9g+uJClKGU48otUmPMwKKsHeyYz+plHIlK8gNTqU

s6ZDEQZa9zwgD4+cW/7+GMCWVCt03q/LCKzRvd+mkSr1i8T9TQfjTE+9lFYRB3xW

l4gq16c/JUWFbuhzz6RkFX0gQ4+N+le3l2iaaUcg7h+TgrnE2t/wpYPH5WWxB1+d

GLsliMcYNFsKAlZqJByU4KJsBa74cbNafHbHSkD3uV/T8xtHw3CVXiXqtvmOT94v

txaOCPKdvW6FMpH1Ge0EZEB0cXxYGOz43ecCAaXHRILPTikJ7ARNQdIEebILpxog

TXs3vBMLWjzfiYWgEURaZCCbBobCA+8mC42ZdUvUGq4+Yd6Wc8s=

=DhrK

—–END PGP SIGNATURE—–