## https://sploitus.com/exploit?id=98F7A4AA-4231-5D1B-97C5-6BF5911403E4
# zWhisper
## CVE-2025-36911 WhisperPair Vulnerability Scanner and Exploit
By Ziron
Educational tool for testing the WhisperPair vulnerability (CVE-2025-36911) in Google Fast Pair devices on Windows 11.
## DISCLAIMER
This tool is strictly for educational and security research purposes only. You must only use this tool on devices that you own or have explicit written permission to test. Unauthorized access to devices is illegal and unethical. The author assumes no responsibility for misuse of this software.
## What is WhisperPair?
WhisperPair (CVE-2025-36911) is a critical vulnerability in Google's Fast Pair protocol affecting hundreds of millions of Bluetooth audio devices. The flaw allows unauthorized pairing with vulnerable devices without user consent.
## Features
- Scan for nearby Fast Pair enabled devices
- Test devices for CVE-2025-36911 vulnerability
- Attempt pairing with vulnerable devices
- Play audio to paired devices
- Minimal interface focused on educational demonstration
## Requirements
- Windows 11 (with Bluetooth support)
- Python 3.9 or higher
- Administrator privileges (for Bluetooth operations)
## Installation
1. Install Python 3.9+ from python.org
2. Install required packages:
```bash
pip install -r requirements.txt
```
3. Run the tool:
```bash
python zwhisper.py
```
## Usage
1. Scan for devices: Discover nearby Fast Pair enabled Bluetooth devices
2. Test/Exploit device: Attempt to pair with a selected device using the vulnerability
3. Play audio: Send audio to a successfully paired device
4. Exit: Close the application
## How It Works
1. BLE Scanning: Scans for devices advertising the Fast Pair service UUID (0xFE2C)
2. Key-Based Pairing: Sends a Key-Based Pairing request without proper validation
3. Pairing: Attempts to establish Bluetooth Classic connection
4. Audio Playback: Uses Windows audio subsystem to play sound through paired device
## Limitations on Windows
- Windows Bluetooth stack requires user confirmation for pairing
- Some operations may require manual intervention in Windows Settings
- Bluetooth audio routing must be configured in Windows Sound settings
- Full automation limited compared to Android implementation
## Known Vulnerable Devices
Devices from these manufacturers may be vulnerable:
- Sony
- Jabra
- JBL
- Logitech
- Marshall
- Nothing
- OnePlus
- Soundcore
- Xiaomi
- Google (Pixel Buds)
- Beats
Check whisperpair.eu/vulnerable-devices for complete list.
## Mitigation
If your device is vulnerable:
1. Check manufacturer's website for firmware updates
2. Install all available updates for your audio accessories
3. Keep devices updated to protect against future vulnerabilities
## References
- Original Research: whisperpair.eu
- CVE Entry: CVE-2025-36911
- Researchers: KU Leuven COSIC & DistriNet Groups
## Legal Notice
This tool is provided for educational and security research purposes only. Unauthorized access to devices you do not own is illegal. The author is not responsible for misuse of this tool. By using this software, you agree to use it only on devices you own or have explicit permission to test.
## Credits
Windows implementation by Ziron
Original vulnerability discovered by researchers at KU Leuven, Belgium