Security firm Sentinel One takes an in-depth look at CVE-2025-20701 here.
Heinz and Steinmetz said last year that the entire series of attacks gave attackers the ability to do other malicious things, including retrieving call history and contacts, and even calling arbitrary numbers. Many of those capabilities depend on the specific devices being paired, as the functionality built into them varies from platform to platform.
The devices affected by the Airoha vulnerabilities are by no means alone. In January, researchers disclosed a series of vulnerabilities called WhisperPair that allow an attacker to hijack Bluetooth devices connected through Google Fast Pair, the company’s proprietary protocol. In addition to eavesdropping, attackers can exploit Whisperpair flaws to geolocate devices. The vulnerabilities affect more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus, and Google itself.
There are very few, if any, reports of Bluetooth vulnerabilities like this being actively exploited in the wild. The complexity of such attacks is often high, and an attacker must constantly be within Bluetooth range of the target when using the exploit. People who think they may be targeted by such attacks should turn off Bluetooth on their devices when not needed and be aware of the risks when Bluetooth is enabled.
<a href