cbcvebase.
CVE-2025-20700
published 2025-08-04

CVE-2025-20700: In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service…

PriorityP260high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
6.18%
92.6th percentile
In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Detection & IOCsextracted from sources · hover to see the quote

otherBluetooth LE GATT service (RACE protocol access vector)
  • Detect Bluetooth Hands-Free Profile (HFP) command issuance from devices that have hijacked an established Bluetooth audio connection — particularly call initiation from unexpected sources.
  • Investigate extraction of Bluetooth link keys from device memory, which enables hijacking of established trust relationships with paired phones.
  • Flag Airoha SoC-based Bluetooth audio devices (e.g., Beats Studio Buds) running firmware older than version 1B211 as unpatched and at risk.
  • ·CVE-2025-20700 is most dangerous when chained with CVE-2025-20701 and CVE-2025-20702; the full attack chain enables complete device takeover, RAM/flash read-write, link key extraction, and HFP command injection.
  • ·The attack surface extends beyond Beats devices — Jabra also released patches for affected Airoha SoC-based devices, indicating broad vendor impact.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.