Security vulnerability discovered in some models of Xiaomi Redmi Buds

without separate pairing attacks are possible within Bluetooth range
"Sensitive information of the person on the other end of the call could be completely compromised"

"Preparing an update" said Xiaomi
Users should take precautions until the patch is available

A security vulnerability has been identified in certain models of Xiaomi's wireless earphones, "Redmi Buds," which have gained popularity for their affordable price and "cost-effectiveness" image. It was confirmed that call-related information could be leaked externally even without separate pairing. Since products sold in Korea are also affected, users are urged to exercise particular caution.

According to industry sources on February 10, the Korea Internet & Security Agency (KISA) recently issued a security notice, warning that a security vulnerability has been discovered in specific models of Xiaomi's Bluetooth earphones, the Redmi Buds series, and advised users to be vigilant.

The affected products are Redmi Buds 3 Pro, 4 Pro, 5 Pro, and 6 Pro—a total of four models. KISA reported that these models are susceptible to an information exposure vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328). Since no security patch is currently available, KISA recommended deactivating Bluetooth when the earphones are not in use, especially in crowded public places.

Xiaomi's Bluetooth earphones "Redmi Buds 6 Pro". Xiaomi official website

원본보기 아이콘

The CERT Coordination Center, a U.S. nonprofit security organization, also reported last month that information leakage and denial-of-service vulnerabilities have been identified in some Redmi Buds models, urging users to take extra care.

According to both organizations, the recently discovered vulnerability allows an attacker within Bluetooth range to remotely attack the device by sending malicious traffic, even without any separate pairing or authentication procedures. The most serious issue is that metadata related to phone calls could be leaked externally.

The information exposure vulnerability (CVE-2025-13834) exploits a condition where the device returns an uninitialized memory buffer when it receives an abnormal TEST command. This allows an attacker to steal sensitive data, including key information such as the phone number of the person on the other end of the call. If the attack occurs during or immediately after a call, such information can be directly exposed.

The denial-of-service vulnerability (CVE-2025-13328) involves an attacker sending a large number of commands simultaneously, excessively consuming the device's resources and potentially causing the earphones to malfunction or break the connection with the user's device.

Xiaomi's Redmi Buds Pro series is known as a representative "cost-effective" wireless earphone, offering affordable prices and solid performance. The latest model, Redmi Buds 6 Pro, is also highly recognized in Korea and is currently being sold for around 80,000 won on domestic platforms such as Naver Smart Store.

Regarding these vulnerabilities, Xiaomi has said it plans to work with suppliers to carry out an update. Additionally, recently released products have already received the update and are not affected by this issue.

Meanwhile, the vulnerability was discovered and reported by the research team of Professor Lee Heejo at Korea University.