Apple Patches AirPlay Flaws That Could Have Allowed Remote Takeover

Cybersecurity researchers have uncovered some serious security flaws in Apple's AirPlay protocol. These vulnerabilities, if exploited, could allow attackers to completely take over devices that use this wireless technology.

The vulnerabilities have been dubbed AirBorne by the Israeli cybersecurity firm Oligo. Sounds ominous, right?

According to Oligo researchers Uri Katz, Avi Lumelsky, and Gal Elbaz, "These vulnerabilities can be chained by attackers to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK." You can read their full report here.

Here's the really scary part: some of these flaws, specifically CVE-2025-24252 and CVE-2025-24132, can be linked together to create a wormable, zero-click remote code execution (RCE) exploit. Imagine malware spreading automatically to devices on any network an infected device connects to. Yikes!

This could open the door for all sorts of nasty attacks, including deploying backdoors and ransomware. We're talking serious security risks here.

In short, these vulnerabilities could allow for:

• Zero- or one-click remote code execution (RCE)
• Access control list (ACL) and user interaction bypass
• Local arbitrary file read
• Information disclosure
• Adversary-in-the-middle (AitM) attacks
• Denial-of-service (DoS)

One particularly concerning scenario involves chaining CVE-2025-24252 and CVE-2025-24206 to achieve a zero-click RCE on macOS devices. The catch? The AirPlay receiver needs to be on and set to "Anyone on the same network" or "Everyone." So, check your settings!

Think about this: your device gets compromised on a public Wi-Fi network. Then, you connect to your company's network, and suddenly the attacker has a way to breach other devices. Not good.

Here's a quick rundown of some other notable flaws:

• CVE-2025-24271 - ACL vulnerability allowing attackers on the same network to send AirPlay commands to a signed-in Mac without pairing.
• CVE-2025-24137 - Could cause arbitrary code execution or application termination.
• CVE-2025-24132 - Stack-based buffer overflow leading to zero-click RCE on speakers and receivers using the AirPlay SDK.
• CVE-2025-24206 - Authentication vulnerability allowing attackers on the local network to bypass authentication.
• CVE-2025-24270 - Could leak sensitive user information to attackers on the local network.
• CVE-2025-24251 - Could cause unexpected app termination for attackers on the local network.
• CVE-2025-31197 - Same as above: unexpected app termination.
• CVE-2025-30445 - Type confusion vulnerability, also leading to unexpected app termination.
• CVE-2025-31203 - Integer overflow vulnerability leading to a Denial-of-Service (DoS) condition.

The good news is that Apple has patched these vulnerabilities in the following versions:

• iOS 18.4 and iPadOS 18.4
• iPadOS 17.7.6
• macOS Sequoia 15.4
• macOS Sonoma 14.7.5
• macOS Ventura 13.7.5
• tvOS 18.4
• visionOS 2.4

Some of the weaknesses (CVE-2025-24132 and CVE-2025-30422) have also been fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1.

Oligo's advice? "For organizations, it is imperative that any corporate Apple devices and other machines that support AirPlay are updated immediately to the latest software versions."

They also recommend communicating to employees that all of their personal devices that support AirPlay need to be updated ASAP. So, spread the word!