Vulnerabilities in Apple’s AirPlay protocol and the accompanying SDK could allow attackers to take over devices, in some instances without user interaction, runtime protection firm Oligo Security says.
The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK.
Two of the discovered vulnerabilities, tracked as CVE-2025-24252 and CVE-2025-24132, enable attackers to build wormable zero-click remote code execution exploits. The compromised devices could be used as a launchpad for additional compromise.
“This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more,” Oligo says.
A total of 17 CVE identifiers were issued for the disclosed issues, and Apple worked together with Oligo to address them in the recent iOS, iPadOS, and macOS releases.
These vulnerabilities, which Oligo calls AirBorne, could be exploited independently or chained together for remote code execution (RCE), protection bypasses, file read, information disclosure, man-in-the-middle (MiTM) attacks, and denial of service (DoS).
CVE-2025-24252, a use-after-free bug, could lead to RCE on macOS. If chained with CVE-2025-24206, a user interaction bypass, it leads to zero-click RCE on “macOS devices that are connected to the same network as an attacker with the AirPlay receiver on and set to the ‘Anyone on the same network’ or ‘Everyone’ configuration”.
“The vulnerability allows for wormable exploits under these circumstances, given it enables an attack path that can spread from one machine to another with no human interaction,” Oligo says.
A compromised device connected to an enterprise network could allow the attacker to target additional devices and move laterally. Oligo published a video demonstration of CVE-2025-24252’s exploitation.
CVE-2025-24271, an ACL flaw allowing unauthenticated attackers to send AirPlay commands without pairing, could be chained with CVE-2025-24137 (patched in January 2025) for one-click RCE.
CVE-2025-24132, a stack-based buffer overflow issue, can be exploited for zero-click RCE on speakers and receivers using the AirPlay SDK, regardless of their configuration, and could be abused to create wormable exploits.
The bug also exposes CarPlay devices to zero-click RCE under certain conditions, potentially allowing attackers to distract drivers through image display and audio play, to eavesdrop on their conversations, or track the vehicle’s location, Oligo says.
Related: Apple Quashes Two Zero-Days With iOS, MacOS Patches
Related: Apple Patches Recent Zero-Days in Older iPhones
Related: Apple Ships iOS 18.3.2 to Fix Already-Exploited WebKit Flaw
