Cybersecurity researchers have uncovered multiple vulnerabilities within Apple’s AirPlay protocol, now patched, that could allow attackers to remotely seize control of affected devices. The flaws, collectively called AirBorne, were identified by Israeli cybersecurity firm Oligo and impact both Apple and third-party devices using the AirPlay SDK.
Security researchers Uri Katz, Avi Lumelsky, and Gal Elbaz revealed that these vulnerabilities could be exploited together to enable remote code execution (RCE). Some of the most critical flaws, including CVE-2025-24252 and CVE-2025-24132, allow the creation of a wormable zero-click RCE exploit, where malware spreads across devices within the same local network, without user interaction.
The potential fallout of such vulnerabilities is severe, paving the way for backdoors, ransomware, and adversary-in-the-middle (AitM) attacks. Attackers can bypass access control lists (ACL), execute arbitrary code, and leak sensitive information, significantly impacting device security. These flaws, when chained together, create a wide array of attack vectors that range from denial-of-service (DoS) to information disclosure.
Key Vulnerabilities and Their Impact
Among the most notable vulnerabilities in AirPlay are the following:
- CVE-2025-24271: An ACL vulnerability allowing attackers on the same network to send AirPlay commands without pairing with the device.
- CVE-2025-24137: A flaw that could lead to arbitrary code execution or cause an application termination.
- CVE-2025-24132: A stack-based buffer overflow that may enable zero-click RCE on AirPlay-enabled speakers and receivers.
- CVE-2025-24206: An authentication bypass vulnerability, letting attackers bypass security policies on local networks.
- CVE-2025-24270: A vulnerability that could cause sensitive information leakage from the device.
- CVE-2025-24251: A flaw capable of causing unexpected app terminations on affected devices.
- CVE-2025-31197: A vulnerability leading to unexpected app crashes.
- CVE-2025-30445: A type confusion vulnerability that could also cause an unexpected app termination.
- CVE-2025-31203: An integer overflow vulnerability causing DoS conditions on local networks.
In a hypothetical attack scenario, an infected device could compromise a victim’s device on a public Wi-Fi network, which then propagates to enterprise networks, enabling attackers to breach devices across the same network.
Timely Patches Address Critical Flaws
Following responsible disclosure, Apple has released patches to address the vulnerabilities. The updates are available in the following versions:
- iOS 18.4 and iPadOS 18.4
- iPadOS 17.7.6
- macOS Sequoia 15.4
- macOS Sonoma 14.7.5
- macOS Ventura 13.7.5
- tvOS 18.4
- visionOS 2.4
Additionally, AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1 have also received updates, addressing vulnerabilities such as CVE-2025-24132 and CVE-2025-30422.
Oligo recommends immediate updates for corporate devices and any other Apple devices supporting AirPlay. Security leaders should ensure that all employees’ personal devices are also updated without delay.
