Security researchers from Oligo Security have uncovered a critical set of vulnerabilities in Apple's AirPlay protocol and AirPlay SDK, enabling attackers to remotely take over Apple and third-party devices without any user interaction.
Dubbed “AirBorne,” the vulnerabilities can be chained to achieve wormable zero-click Remote Code Execution (RCE) across a broad range of devices, including iPhones, Macs, Apple TVs, and CarPlay systems.
The discovery was made by Oligo Security researchers during an internal review of open network ports. Noticing extensive exposure on port 7000 — used by AirPlay — the team delved deeper into the protocol’s handling of property lists (plists), revealing significant security flaws in parameter parsing and access controls. The vulnerabilities were reported to Apple under responsible disclosure, leading to 17 assigned CVEs across various Apple software versions, with patches released as part of updates in early 2025.
AirPlay is a wireless streaming protocol critical to Apple's ecosystem, found across 2.35 billion active devices globally, from iPhones and Macs to Apple TVs and the newer Vision Pro headsets. It also powers millions of third-party smart speakers, receivers, and car infotainment systems through the AirPlay SDK. Given AirPlay’s widespread use, especially in enterprise and automotive environments, the potential reach of AirBorne exploitation is vast and concerning.
AirBorne attack scenarios
At the technical level, two vulnerabilities — CVE-2025-24252 (a use-after-free in macOS) and CVE-2025-24132 (a stack-based buffer overflow in the AirPlay SDK)—stand out for enabling full, wormable, zero-click remote compromise. Attackers can exploit these flaws over local networks, public Wi-Fi, or peer-to-peer connections, spreading malware between devices automatically without user interaction. Practical attacks demonstrated by Oligo include device takeover, audio hijacking, data exfiltration, and even tracking and eavesdropping via CarPlay systems.
A notable scenario involves an attacker compromising a MacBook at a coffee shop, then later gaining access to an enterprise network once the infected device connects to the company Wi-Fi. Similarly, insecure CarPlay hotspots could allow attackers to hijack vehicles’ entertainment systems or monitor private conversations. The risks are amplified by AirPlay’s reliance on simple access controls that Oligo demonstrated could be bypassed, even when users had enabled security features like “Current User Only” settings.
In addition to the RCEs, other critical vulnerabilities discovered include local arbitrary file reads (CVE-2025-24270) and sensitive information disclosure flaws, allowing attackers to access private device data or network credentials. Denial of Service (DoS) vulnerabilities were also identified, one allowing attackers to remotely crash a device’s UI system, forcing user logout and enabling man-in-the-middle attacks.
Fixes and mitigations available
Apple and Oligo coordinated closely to ensure timely patching, with fixes included in iOS 18.4, macOS Sequoia 15.4, and corresponding updates across tvOS, visionOS, and watchOS. Not all vulnerabilities received individual CVE IDs; some were grouped based on remediation paths.
If you haven’t applied the security updates Apple released earlier this month, you are recommended to do so immediately. It is also recommended to turn off AirPlay receivers if not actively in use, via device settings.
Users can also implement firewall rules to restrict traffic on port 7000 to trusted networks and devices only, and set AirPlay permissions to “Current User” to reduce, though not eliminate, risk exposure.
Leave a Reply