CVE-2025-20700

HIGH

Airoha Bluetooth audio SDK - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-20700. PoCs published by Yedidia-Bakuradze.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-20700, a vulnerability in Sony wireless headphones using the Airoha AB1585 Bluetooth chipset. It explains the attack flow, hardware architecture, and exploitation process for extracting Bluetooth link keys via BLE.

Description

In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (1)

nomisec WRITEUP

by Yedidia-Bakuradze · poc

https://github.com/Yedidia-Bakuradze/mem-forensics-analysis

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-20700, a vulnerability in Sony wireless headphones using the Airoha AB1585 Bluetooth chipset. It explains the attack flow, hardware architecture, and exploitation process for extracting Bluetooth link keys via BLE.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Sony wireless headphones (WF-1000XM5, WH-1000XM5, etc.) with Airoha AB1585 chipset

No auth needed

Prerequisites: BLE proximity to target device · knowledge of RACE protocol commands

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 11, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://www.airoha.com/product-security-bulletin/2025

Scores

CVSS v3 8.8

EPSS 0.0472

EPSS Percentile 90.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (2)

Airoha Technology Corp./AB156x, AB157x, AB158x, AB159x series, AB1627 Airoha AB1561x/AB1562x/AB1563x SDK v3.3.1 and earlier

Airoha Technology Corp./AB156x, AB157x, AB158x, AB159x series, AB1627 Airoha IoT SDK for BT audio v5.5.0 and earlier

Published Aug 04, 2025

Tracked Since Feb 18, 2026