Apple’s AirPlay protocol, a proprietary wireless technology used for streaming audio and video across devices, was found to contain multiple critical vulnerabilities that could allow attackers to execute remote code without user interaction. The flaws, collectively dubbed AirBorne by cybersecurity firm Oligo, affect macOS, iOS, iPadOS, tvOS, visionOS, and third-party devices integrating the AirPlay SDK. Exploitation could lead to wormable malware propagation, data leaks, and device hijacking—particularly on public Wi-Fi networks.
Summary for Security Leadership
The AirBorne vulnerabilities (17 assigned CVEs) pose a significant risk due to their zero-click exploitation potential and wormable nature. Attackers could chain exploits to gain remote code execution (RCE) on unpatched devices, bypass authentication controls, and spread malware laterally across networks. Apple has released patches, but third-party vendors lag behind, leaving millions of devices exposed.
- Critical CVEs: CVE-2025-24252 (use-after-free) and CVE-2025-24132 (buffer overflow) enable RCE.
- Affected Devices: Apple ecosystem (patched) and third-party AirPlay-enabled hardware (many unpatched).
- Attack Surface: Public Wi-Fi, corporate networks, CarPlay, and IoT devices.
- Mitigation: Apply Apple’s latest updates (iOS 18.4, macOS 15.4) and restrict AirPlay to “Current User” mode.
Technical Breakdown of AirBorne Exploits
The vulnerabilities stem from flaws in AirPlay’s protocol handling, particularly in plist data parsing and HTTP/RTSP communication (port 7000). CVE-2025-24252, a use-after-free bug, can be chained with CVE-2025-24206 (authentication bypass) to achieve zero-click RCE on macOS when AirPlay is set to “Anyone on the same network.” This combination allows attackers to deploy malware that spreads autonomously across local networks, similar to wormable threats like WannaCry.
Third-party devices, such as Bose speakers, are vulnerable to CVE-2025-24132, a buffer overflow in the AirPlay SDK. Successful exploitation lets attackers hijack audio outputs, display arbitrary images, or activate microphones for eavesdropping. CarPlay systems are also at risk, though exploitation requires proximity via Bluetooth or USB.
Attack Scenarios and Impact
In a proof-of-concept demonstration, Oligo showed how an attacker on a public Wi-Fi network could:
- Exploit CVE-2025-24252 to gain RCE on a macOS device.
- Use the compromised device to scan for other vulnerable AirPlay targets.
- Propagate malware to unpatched IoT devices (e.g., smart speakers).
Additional risks include denial-of-service (DoS) attacks crashing AirPlay services and man-in-the-middle (MitM) attacks intercepting streams—such as spoofing a conference room TV to display malicious content.
Mitigation and Patching
Apple addressed the flaws in May 2025 updates (iOS 18.4, macOS 15.4, tvOS 18.4). Third-party vendors must adopt AirPlay SDK 2.7.1 (audio) or 3.6.0.126 (video). For enterprises, Beyond Identity recommends:
- Network segmentation to limit lateral movement.
- Endpoint detection for anomalous AirPlay activity.
- Disabling AirPlay on public networks or enforcing “Current User” restrictions.
Expert Commentary
“Many third-party AirPlay devices lack timely updates. Secure routers with strong passwords and avoid public Wi-Fi for AirPlay.” — Karolis Arbaciauskas, NordPass
“An attacker could deploy malware that spreads across networks, enabling espionage or ransomware.” — Oligo Security
Conclusion
The AirBorne vulnerabilities highlight the risks of proprietary wireless protocols and delayed third-party patching. While Apple’s patches mitigate the threat, organizations must audit AirPlay-enabled devices and enforce network controls to prevent exploitation. Unpatched IoT devices remain a long-term challenge, underscoring the need for vendor accountability in security updates.
References
- Oligo Security Report – Technical deep dive, PoC videos. 2025.
- Bastille Networks – Wireless airspace defense insights. 2025.
- HackRead – Third-party device risks. 2025.
- The Cyber Security Hub – Patch timelines. 2025.
