Security vulnerability discovered in some models of Xiaomi Redmi Buds

without separate pairing attacks are possible within Bluetooth range
"Sensitive information of the person on the other end of the call could be completely compromised"

"Preparing an update" said Xiaomi
Users should take precautions until the patch is available

A security vulnerability has been identified in some models of Xiaomi's wireless earphones "Redmi Buds," which have gained popularity for their low price and "value for money" image, that could allow call-related information to be leaked externally even without separate pairing. As products sold in Korea are also affected, users are urged to exercise particular caution.

According to the industry on February 10, the Korea Internet & Security Agency (KISA) recently issued a security notice stating that a security vulnerability has been found in some models of Xiaomi Bluetooth earphones in the "Redmi Buds" series, and called on users to be cautious.

The affected products are a total of four models: Redmi Buds 3 Pro, 4 Pro, 5 Pro, and 6 Pro. KISA stated that an information disclosure vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) were discovered in these products, and recommended that "since no security patch is currently available, users should disable the Bluetooth function when not using the earphones, especially in crowded public places".

Xiaomi's Bluetooth earphones "Redmi Buds 6 Pro". Xiaomi official website

원본보기 아이콘

The CERT Coordination Center, a U.S. nonprofit security organization, also reported last month that information disclosure and denial-of-service vulnerabilities had been identified in some models of the Redmi Buds series, and requested heightened vigilance.

According to the two organizations, the confirmed vulnerabilities allow an attacker, if within Bluetooth range, to remotely attack the device by sending malicious traffic without any separate pairing or authentication process. In particular, the most serious issue is that metadata related to calls could be leaked externally.

The information disclosure vulnerability (CVE-2025-13834) exploits a behavior in which the device, upon receiving an abnormal TEST command, returns an uninitialized memory buffer as is. Through this, an attacker can steal sensitive data, including key information such as the phone number of the person on the other end of the call. If the attack occurs during a call or immediately after a call ends, the related information could be exposed as is.

The denial-of-service vulnerability (CVE-2025-13328) involves an attacker sending a large volume of commands at once to excessively consume device resources, which can cause the earphones to malfunction or disrupt the connection with the user's device.

Xiaomi's Redmi Buds Pro series is regarded as a representative "value for money" wireless earphone line that emphasizes low price and performance. It is also a well-known product in Korea, and the latest model, Redmi Buds 6 Pro, is currently being sold on platforms such as Naver Smart Store in Korea for around 80,000 won.

Regarding these vulnerabilities, Xiaomi is reportedly planning to carry out an update in cooperation with its suppliers. It is also known that recently released products have already had the update applied and are therefore not affected by this issue.

Meanwhile, the vulnerabilities were discovered and reported by a research team led by Professor Lee Heejo of Korea University.