On the 9th, the U.S. nonprofit security agency CERT Coordination Center announced that information leakage and denial-of-service (DoS) vulnerabilities were found in some models of Xiaomi's wireless earphones "Redmi Buds," according to the IT industry. The affected models are Redmi Buds 3 Pro, 4 Pro, 5 Pro, and 6 Pro.
CERT said an attacker within Bluetooth communication range can send malicious RFCOMM traffic without separate pairing or authentication. The problematic vulnerabilities are CVE-2025-13834 and CVE-2025-13328. According to CERT, the former is a flaw in which an uninitialized memory buffer is returned during abnormal handling of the TEST command, exposing up to 127 bytes per packet. The research team said currency-related metadata such as the call counterpart's phone number could be leaked in this process.
The latter, CVE-2025-13328, is a type that induces a firmware crash by overloading the device's processing queue through TEST command flooding. In actual exploitation, the consolidation device is forcibly disconnected, and recovery may require putting the earbuds back into the charging case for rerouting, CERT added. The vulnerability was specified as having been reported by the research team of Professor Lee Hee-jo at Korea University.
A domestic advisory was also issued. The Korea Internet & Security Agency (KISA) provided guidance on the same vulnerabilities in a notice on Feb. 5 and, as no security patch was available at the time, advised users to disable Bluetooth in public places when not using earphones.
Xiaomi told foreign media that it is "an issue related to the nonstandard configuration of Google Fast Pair by some chip suppliers," and said it is proceeding with an OTA update with the suppliers.
The official Korean website also operates product pages for Redmi Buds 5 Pro and 6 Pro, so users should frequently check the firmware version and update notices within the manufacturer's app.