Billions Of Apple Devices At Risk From “airborne” Airplay Vulnerabilities

Oligo Security uncovers “AirBorne,” a group of 23 vulnerabilities successful Apple AirPlay affecting billions of devices. Learn really these flaws alteration distant power (RCE) and information theft connected iPhones, Macs, CarPlay, and more.

Cybersecurity patient Oligo has revealed awesome vulnerabilities, dubbed AirBorne, successful Apple’s AirPlay, a wireless strategy utilized by iPhones, iPads, Macs, and third-party devices for audio and video streaming. These flaws successful Apple’s AirPlay package devices for different companies could fto hackers return power of devices connected nan aforesaid Wi-Fi network.

Apple has released updates for its devices and provided fixes to third-party makers, urging users to update. However, not each companies update quickly. Oligo identified 23 vulnerabilities, starring to 17 information identifiers (CVEs), that could alteration various attacks, including taking complete power of a instrumentality without personification relationship (Zero-Click RCE), reference immoderate record (Local Arbitrary File Read), stealing backstage information, and intercepting communications. Attackers could harvester these to afloat power devices.

Two cardinal vulnerabilities (CVE-2025-24252 and CVE-2025-24132) could let wormable attacks, spreading harmful package automatically crossed networks. This could lead to superior issues for illustration spying and ransomware. Millions of Apple devices and third-party AirPlay devices, including those successful cars (CarPlay), are perchance affected.

Oligo demonstrated Zero-Click RCE connected macOS (CVE-2025-24252) nether definite web settings, perchance allowing malware to spread. They besides recovered One-Click RCE connected macOS (CVE-2025-24271) nether different settings. Speakers and receivers utilizing AirPlay SDK are susceptible to Zero-Click RCE (CVE-2025-24132), allowing eavesdropping. CarPlay devices are besides astatine consequence of RCE, which could distract drivers aliases alteration tracking.

Oligo’s investigation recovered that galore basal AirPlay commands were accessible without beardown security. The vulnerabilities often subordinate to really nan AirPlay package handles information successful a format called “plist.”

For your information, plist is AirPlay’s strategy that combines HTTP and RTSP protocols to pass complete larboard 7000. Commands, peculiarly those pinch other information, are sent arsenic HTTP information successful plist format.

Oligo gave 1 illustration of a type of disorder vulnerability (CVE-2025-24129) that happens because nan AirPlay package doesn’t decently cheque nan type of information it receives successful a plist. If it expects a database of items but gets thing else, it tin origin nan programme to crash.

Crashing a device’s AirPlay could let attackers to intercept communications. For example, crashing nan AirPlay server connected a instrumentality could let an attacker to dress to beryllium that instrumentality connected nan web and intercept communications. They gave a script wherever an attacker could clang a TV’s AirPlay, clone its identity, and past grounds a gathering being streamed to it, researchers noted.

Oligo’s in-depth method report published connected April 29, 2025, urges users and organizations to instantly update each Apple and third-party AirPlay devices to nan latest software. They besides propose disabling AirPlay erstwhile not successful usage and limiting AirPlay entree connected networks.

Expert’s Comment

In a remark to Hackread.com, cybersecurity master and Head of Business Product astatine NordPass, Karolis Arbaciauskas stated that “Many third-party AirPlay devices don’t get timely updates for illustration Apple’s, truthful vulnerabilities whitethorn remain. To utilization them, an attacker needs entree to your Wi-Fi, truthful unafraid your router pinch updates and a beardown password.”

“Factory-set passwords are often weak, truthful ever alteration them. Use astatine slightest 8 random characters pinch numbers and symbols, and see a password head to make this easier,” Karolis advised. “Avoid utilizing AirPlay connected nationalist Wi-Fi, which is often insecure. If possible, usage your phone’s hotspot instead, aliases astatine slightest debar unfastened networks and usage a VPN.”