A major set of vulnerabilities-collectively named “AirBorne”-in Apple’s AirPlay protocol and SDK have been unveiled, enabling an array of severe attack vectors.
Most critically, these flaws allow zero-click “wormable” Remote Code Execution (RCE), meaning attackers can take over Apple and third-party devices via Wi-Fi without any user interaction.
The impact spans billions of devices globally, including Macs, iPhones, iPads, Apple TV, CarPlay systems, and third-party AirPlay-enabled speakers.
.png
)
The Airborne Threat
Airborne exposes devices to attacks that can cascade rapidly across networks. The vulnerabilities make it possible for a remote attacker to:
- Hijack devices without any user action (zero-click RCE)
- Deploy self-propagating malware (“wormable” exploits)
- Eavesdrop on conversations via device microphones
- Exfiltrate sensitive information
- Launch further attacks, including ransomware and supply-chain intrusions
The technical heart of the threat is the ability for attackers to bypass authentication, execute arbitrary code, and spread automatically to other vulnerable devices on the same or new networks scenario ripe for large-scale exploitation.
How Does the Attack Work?
AirPlay communicates over port 7000 and relies on the plist data format for commands.
Oligo’s researchers found that improper handling of these property lists (among other flaws) can enable multiple forms of exploitation:
- Type Confusion (e.g., CVE-2025-24129)
- Use-After-Free (e.g., CVE-2025-24252)
- Stack-based Buffer Overflow (e.g., CVE-2025-24132)
- Access Control List (ACL) Bypass (e.g., CVE-2025-24271)
- User Interaction Bypass (e.g., CVE-2025-24206)
A particularly dangerous scenario unfolds when a compromised device joins another network (like an employee connecting to an office Wi-Fi after infection in a public place).
Wormable exploits can then propagate silently, hijacking additional devices.
| CVE | Attack Type | Affected Devices / Software | Security Advisories / Patches |
| CVE-2025-24252 | Zero-Click Wormable RCE | macOS, tvOS, iOS, iPadOS, visionOS | macOS Sequoia 15.4, tvOS 18.4, iOS 18.4, etc. |
| CVE-2025-24132 | Zero-Click Wormable RCE | AirPlay audio/video SDK, CarPlay | AirPlay audio SDK 2.7.1, CarPlay Plug-in R18.1 |
| CVE-2025-24206 | User Interaction Bypass | macOS, tvOS, iOS, iPadOS, visionOS | macOS Sequoia 15.4, iOS 18.4, etc. |
| CVE-2025-24271 | ACL Bypass, One-Click RCE | macOS, tvOS, iOS, iPadOS, visionOS | macOS Sequoia 15.4, iOS 18.4, etc. |
| CVE-2025-24137 | One-Click RCE | macOS, visionOS, tvOS, iOS, iPadOS | macOS 14.7.3, tvOS 18.3, iOS 18.3, etc. |
Devices at Risk
- Apple Devices: Macs, iPhones, iPads, Apple TVs, Vision Pro
- CarPlay: Embedded in over 800 vehicle models, vulnerable under several conditions
- Third-Party Devices: Tens of millions of speakers, TVs, and receivers with AirPlay SDK
- Potential Impact: Over 2.35 billion active Apple devices worldwide
Attackers can inject malicious commands to perform actions ranging from playing unwanted media, distracting drivers in CarPlay, to activating microphones for surveillance.
Oligo Security disclosed 23 vulnerabilities, with Apple issuing 17 CVEs and releasing patches across its platforms.
Collaboration between Apple and Oligo ensured rapid mitigation, though users must update devices immediately to close off these critical holes.
Apple software updates covering these CVEs are available now. Delaying updates dramatically increases exposure, especially for users of public or untrusted Wi-Fi.
The Airborne vulnerabilities highlight the evolving sophistication and risk of wireless protocol flaws.
Zero-click, wormable exploits stand among the most severe, with the potential to disrupt millions of users and critical infrastructure. Prompt updating and ongoing vigilance are crucial to defense.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
