Security researchers at Oligo Security have uncovered a concerning set of vulnerabilities in Apple's AirPlay protocol that could potentially impact billions of devices worldwide. Named "AirBorne," these vulnerabilities enable attackers to execute remote code on affected devices without requiring any user interaction in some cases.
The research team identified 23 vulnerabilities in the AirPlay protocol and SDK, resulting in 17 CVEs being issued after responsible disclosure to Apple. The most severe vulnerabilities allow for zero-click remote code execution, meaning attackers can compromise devices without any user interaction whatsoever.
According to Oligo's findings, the vulnerabilities can affect various Apple devices, including Macs, iPhones, iPads, Apple TVs, and third-party devices that integrate the AirPlay SDK. Apple reported in January 2025 that there are approximately 2.35 billion active Apple devices globally, though not all are vulnerable to the most severe attack vectors.
The AirBorne vulnerabilities enable several attack vectors:
- Zero-click remote code execution (RCE)
- One-click RCE
- Access control list (ACL) and user interaction bypass
- Local arbitrary file read
- Sensitive information disclosure
- Man-in-the-middle (MITM) attacks
- Denial of service (DoS)
Perhaps most alarming is the potential for "wormable" exploits, where compromised devices can spread the attack to other devices on any network they connect to. For example, researchers demonstrated that CVE-2025-24252, a use-after-free vulnerability, when chained with CVE-2025-24206 (user interaction bypass), allows zero-click RCE on macOS devices with the AirPlay receiver set to "Anyone on the same network" or "Everyone" configuration.
Oligo researchers illustrated a concerning scenario: "A victim device is compromised while using public WiFi, then connects to their employer's network – providing a path for the attacker to take over additional devices on that network."
The vulnerabilities also impact third-party AirPlay-compatible speakers, receivers, and CarPlay devices. CVE-2025-24132, a stack-based buffer overflow vulnerability, allows zero-click RCE on speakers and receivers using the AirPlay SDK. For CarPlay devices, attackers within proximity could potentially execute RCE attacks through WiFi hotspots or Bluetooth connections.
The potential impact extends beyond simple device control. Attackers could leverage compromised devices for espionage (such as eavesdropping through device microphones), ransomware deployment, or as launching points for supply chain attacks.
- CVE-2025-24252: A use-after-free vulnerability that enables zero-click remote code execution on macOS devices when the AirPlay receiver is set to "Anyone on the same network" or "Everyone"
- CVE-2025-24132: A stack-based buffer overflow vulnerability allowing zero-click RCE on speakers, receivers, and CarPlay devices that use the AirPlay SDK
- CVE-2025-24206: A vulnerability that bypasses user interaction requirements, turning many attacks into zero-click exploits
- CVE-2025-24271: An access control list vulnerability that, when chained with CVE-2025-24137, allows one-click RCE on macOS devices
Apple has worked with Oligo Security throughout the responsible disclosure process and has released software updates to address these vulnerabilities. Users are strongly advised to:
- Update all Apple and AirPlay-compatible devices immediately
- Disable the AirPlay receiver when not in use
- Restrict AirPlay access through firewall rules (Port 7000 on Apple devices)
- Change AirPlay settings to "Current User" to reduce the attack surface
As noted by the researchers, they began investigating after noticing that most devices on their internal network had AirPlay port 7000 open, making it an attractive target for potential attackers.
For organizations, ensuring that both corporate and employee-owned Apple devices are promptly updated is critical to mitigating these risks. The wormable nature of some exploits means that a single compromised device could potentially lead to widespread network infection.