May 05, 2025Ravie LakshmananNetwork Security / Vulnerability

Cybersecurity researchers have disclosed a series of now-patched security vulnerabilities in Apple’s AirPlay protocol that, if successfully exploited, could enable an attacker to take over susceptible devices supporting the proprietary wireless technology.

The shortcomings have been collectively codenamed AirBorne by Israeli cybersecurity company Oligo.

“These vulnerabilities can be chained by attackers to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK,” security researchers Uri Katz, Avi Lumelsky, and Gal Elbaz said.

Some of the vulnerabilities, like CVE-2025-24252 and CVE-2025-24132, can be strung together to fashion a wormable zero-click RCE exploit, enabling bad actors to deploy malware that propagates to devices on any local network the infected device connects to.

This could then pave the way for sophisticated attacks that can lead to the deployment of backdoors and ransomware, posing a serious security risk.

The vulnerabilities, in a nutshell, could enable zero- or one-click remote code execution (RCE), access control list (ACL) and user interaction bypass, local arbitrary file read, information disclosure, adversary-in-the-middle (AitM) attacks, and denial-of-service (DoS).

This includes chaining CVE-2025-24252 and CVE-2025-24206 to achieve a zero-click RCE on macOS devices that are connected to the same network as an attacker. However, for this exploit to succeed, the AirPlay receiver needs to be on and set to the “Anyone on the same network” or “Everyone” configuration.

In a hypothetical attack scenario, a victim’s device could get compromised when connected to a public Wi-Fi network. Should the device be connected later to an enterprise network, it could provide an attacker with a way to breach other devices that are connected to the same network.

Some of the other notable flaws are listed below –

• CVE-2025-24271 – An ACL vulnerability that can enable an attacker on the same network as a signed-in Mac to send AirPlay commands to it without pairing
• CVE-2025-24137 – A vulnerability that could cause arbitrary code execution or an application to terminate
• CVE-2025-24132 – A stack-based buffer overflow vulnerability that could result in a zero-click RCE on speakers and receivers that leverage the AirPlay SDK
• CVE-2025-24206 – An authentication vulnerability that could allow an attacker on the local network to bypass authentication policy
• CVE-2025-24270 – A vulnerability that could allow an attacker on the local network to leak sensitive user information
• CVE-2025-24251 – A vulnerability that could allow an attacker on the local network to cause an unexpected app termination
• CVE-2025-31197 – A vulnerability that could allow an attacker on the local network to cause an unexpected app termination
• CVE-2025-30445 – A type confusion vulnerability that could could allow an attacker on the local network to cause an unexpected app termination
• CVE-2025-31203 – An integer overflow vulnerability that could allow an attacker on the local network to cause a DoS condition

Following responsible disclosure, the identified vulnerabilities have been patched in the below versions –

• iOS 18.4 and iPadOS 18.4
• iPadOS 17.7.6
• macOS Sequoia 15.4
• macOS Sonoma 14.7.5
• macOS Ventura 13.7.5
• tvOS 18.4, and
• visionOS 2.4

Some of the weaknesses (CVE-2025-24132 and CVE-2025-30422) have also been patched in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1.

“For organizations, it is imperative that any corporate Apple devices and other machines that support AirPlay are updated immediately to the latest software versions,” Oligo said.

“Security leaders also need to provide clear communication to their employees that all of their personal devices that support AirPlay need to also be updated immediately.”