Apple AirPlay Zero-Click RCE Vulnerabilities: Technical Analysis and Mitigation

A set of critical vulnerabilities in Apple’s AirPlay Protocol and AirPlay SDK, collectively dubbed “AirBorne,” exposes devices to remote code execution (RCE) attacks requiring no user interaction. Researchers from Oligo Security identified 23 flaws (17 assigned CVEs), including use-after-free (UAF) and buffer overflow issues in plist parsing functions like /getProperty. These vulnerabilities affect both Apple devices and third-party implementations of the AirPlay SDK, enabling wormable propagation via Wi-Fi or man-in-the-middle (MITM) attacks¹.

Executive Summary for Security Leaders

The AirBorne vulnerabilities (CVE-2025-24252, CVE-2025-24132) pose significant risks due to their zero-click exploitation potential. Attackers can compromise devices via malicious AirPlay requests over local networks, with demonstrated proof-of-concept (PoC) exploits achieving RCE on unpatched systems. Patches were released in macOS 15.4 and iOS 18.4, but third-party devices using vulnerable SDK versions remain exposed².

CVSS Scores: Ranging from 7.8 to 9.8 for critical flaws
Attack Surface: Wi-Fi networks, CarPlay integrations, smart speakers
Patch Status: Apple devices updated; third-party vendors lagging

Technical Breakdown of AirPlay Exploits

The UAF vulnerability occurs when parsing malformed property lists (plists) in AirPlay’s /getProperty endpoint. Attackers craft requests with nested dictionaries that trigger improper memory management, allowing arbitrary code execution. Oligo Security’s demo shows exploitation via Wi-Fi without requiring paired devices³.

Buffer overflows in the SDK’s RTSP implementation enable stack corruption through oversized audio/video metadata fields. This affects devices like smart TVs that use Apple’s reference SDK. A sample malicious RTSP packet observed in testing:

SETUP rtsp://target/stream RTSP/1.0
CSeq: 7
Content-Length: [oversized value]
[...malformed payload...]

Mitigation Strategies

For organizations using AirPlay-enabled devices:

Action	Implementation
Patch Management	Apply Apple’s macOS 15.4/iOS 18.4 updates immediately
Network Segmentation	Isolate AirPlay receivers on dedicated VLANs
SDK Updates	Verify third-party vendors have patched their AirPlay implementations

For high-risk environments, disabling AirPlay reception entirely may be warranted until patches are verified. Network monitoring for anomalous RTSP traffic patterns can help detect exploitation attempts⁴.

Broader Implications for Protocol Security

The AirBorne flaws mirror similar zero-click vulnerabilities in other protocols like Windows LDAP (CVE-2024-49112) and iMessage. This pattern highlights systemic risks in feature-rich network protocols that prioritize convenience over security. The research underscores the need for:

“Mandatory fuzz testing for all protocol implementations, especially those handling complex data structures like plists. Vendors must assume every input field is an attack vector.”⁵

Apple has since updated its developer documentation to include stricter bounds checking requirements for AirPlay SDK implementers. However, the long tail of vulnerable third-party devices (particularly in IoT ecosystems) will remain a concern for years.

Conclusion

The AirPlay vulnerabilities demonstrate how widely deployed protocols can become enterprise-wide risks when security assumptions fail. While Apple’s patches address their own devices, the fragmented nature of third-party implementations complicates remediation. Security teams should prioritize inventorying all AirPlay-capable devices in their environments and apply layered network controls to mitigate risks from unpatched systems.