Cybersecurity researchers have recently disclosed a series of security vulnerabilities in Apple’s AirPlay protocol, which have now been patched. Attackers could successfully exploit these vulnerabilities to control devices that support this proprietary wireless technology. The Israeli cybersecurity company Oligo has collectively referred to these vulnerabilities as AirBorne.
Vulnerability Combination Enables Worm-like Attacks
Researchers Uri Katz, Avi Lumelsky, and Gal Elbaz noted: “Attackers can chain these vulnerabilities together to control AirPlay-enabled devices, including Apple devices and third-party devices that use the AirPlay SDK (Software Development Kit).” The combination of vulnerabilities such as CVE-2025-24252 and CVE-2025-24132 can create a wormable remote code execution (RCE) attack chain that requires no user interaction, allowing malware to spread across any local network to which the infected device connects.
This attack method could facilitate the deployment of complex attacks such as backdoors and ransomware, posing a serious security threat. Overall, these vulnerabilities enable:
- Zero-click or single-click remote code execution
- Bypassing access control lists (ACLs) and user interaction validation
- Local arbitrary file reading
- Information leakage
- Man-in-the-Middle (AitM) attacks
- Denial of Service (DoS) attacks
Specific Attack Scenario Analysis
By chaining the vulnerabilities CVE-2025-24252 and CVE-2025-24206, attackers can execute zero-click RCE attacks on macOS devices that are on the same network. However, this attack requires the target device’s AirPlay receiver to be turned on and set to “Anyone on the same network” or “Everyone” mode.
In a typical attack scenario, the victim’s device is compromised when it connects to public Wi-Fi. If that device subsequently connects to a corporate network, the attacker gains access to compromise other devices on the same network.
Key Vulnerability List
- CVE-2025-24271: An access control vulnerability that allows attackers on the same network to bypass pairing validation and send AirPlay commands to a logged-in Mac
- CVE-2025-24137: A vulnerability that can lead to arbitrary code execution or application termination
- CVE-2025-24132: A stack-based buffer overflow vulnerability that can achieve zero-click RCE on speakers and receivers using the AirPlay SDK
- CVE-2025-24206: An authentication vulnerability that allows local network attackers to bypass authentication policies
- CVE-2025-24270: A vulnerability that can lead to the leakage of sensitive user information
- CVE-2025-24251: A vulnerability that can cause abnormal application termination
- CVE-2025-31197: A vulnerability that can cause abnormal application termination
- CVE-2025-30445: A type confusion vulnerability that can lead to abnormal application termination
- CVE-2025-31203: An integer overflow vulnerability that can cause a denial of service state
Patch Release Status
Apple has patched these vulnerabilities in the following versions:
- iOS 18.4 and iPadOS 18.4
- iPadOS 17.7.6
- macOS Sequoia 15.4
- macOS Sonoma 14.7.5
- macOS Ventura 13.7.5
- tvOS 18.4
- visionOS 2.4
Some vulnerabilities (CVE-2025-24132 and CVE-2025-30422) have also been patched in the following components:
- AirPlay Audio SDK 2.7.1
- AirPlay Video SDK 3.6.0.126
- CarPlay Communication Plugin R18.1
Oligo emphasizes: “Organizations must immediately upgrade all Apple devices and other terminals that support AirPlay to the latest versions. Security officers should also clearly inform employees that all their personal devices supporting AirPlay must be updated immediately.”
References:
Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi