CVE-2025-32330 is a medium-severity information disclosure vulnerability affecting Google Android versions 13, 14, and 15. The flaw exists in the generateRandomPassword function within the LocalBluetoothLeBroadcast.java component, which is responsible for managing Auracast audio streams over Bluetooth LE. The vulnerability arises due to an insecure default value used in generating the password or key material for Auracast broadcasts. This insecure default allows an attacker in close physical proximity (proximal or adjacent) to intercept the Auracast audio stream without requiring any additional execution privileges or user interaction. The attack vector is remote but limited by Bluetooth range, and the attacker only needs to be within wireless range to exploit the flaw. The vulnerability is classified under CWE-1188, which relates to insecure default values leading to information disclosure. The CVSS v3.1 base score is 5.7, reflecting a medium severity level, with the vector indicating low attack complexity, adjacent network attack vector, low privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow attackers to eavesdrop on Auracast audio streams, potentially leaking sensitive audio information transmitted over Bluetooth LE broadcasts.

For European organizations, the impact of CVE-2025-32330 primarily concerns confidentiality breaches of audio data transmitted via Auracast Bluetooth LE broadcasts. Organizations using Android devices (versions 13-15) for Auracast-enabled audio streaming in sensitive environments—such as corporate meetings, healthcare settings, or government facilities—could have confidential conversations or audio content intercepted by nearby attackers. Since no user interaction or elevated privileges are required, the risk of unnoticed eavesdropping is significant in public or semi-public spaces. This could lead to leakage of proprietary information, personal data, or other sensitive audio content. However, the impact is limited by the need for physical proximity to the target device due to Bluetooth range constraints. The vulnerability does not affect data integrity or availability, so it does not enable tampering or denial of service. Nevertheless, the confidentiality breach could undermine trust in Bluetooth Auracast technology and Android devices in professional environments across Europe.

To mitigate this vulnerability, European organizations should: 1) Monitor for official patches or updates from Google addressing CVE-2025-32330 and prioritize timely deployment on all affected Android devices (versions 13-15). 2) Disable Auracast Bluetooth LE broadcasting on Android devices in sensitive or high-risk environments where confidential audio is transmitted, until patches are available. 3) Implement physical security controls to limit unauthorized proximity to devices broadcasting Auracast streams, such as controlled access zones or Bluetooth signal containment measures. 4) Educate users about the risk of nearby attackers intercepting Auracast audio and encourage cautious use of Bluetooth audio broadcasting in public or unsecured areas. 5) Employ network monitoring tools capable of detecting unusual Bluetooth LE broadcast activity or unauthorized devices in proximity. 6) Consider alternative secure audio streaming technologies with stronger encryption and authentication mechanisms if Auracast usage is critical. These steps go beyond generic advice by focusing on controlling physical proximity risks and managing Auracast usage policies specifically.