Ddos 
In a sweeping and deeply technical report, Oligo Security Research has disclosed a dangerous new family of vulnerabilities in Apple’s AirPlay protocol and its associated Software Development Kit (SDK) used by both Apple and third-party vendors. The vulnerabilities—collectively dubbed “AirBorne”—enable attackers to remotely take over Apple and IoT devices without any user interaction, and in some scenarios, to propagate malware across local networks automatically, creating a wormable exploit chain.
The discovered vulnerabilities enable multiple attack vectors with severe consequences, including zero-click remote code execution (RCE), one-click RCE, access control list (ACL) and user interaction bypass, local arbitrary file read, sensitive information disclosure, man-in-the-middle (MITM) attacks, and denial-of-service (DoS).
The AirBorne vulnerabilities affect AirPlay-enabled MacBooks, iPhones, Apple TVs, CarPlay systems, and millions of third-party speakers, TVs, and automotive infotainment systems. In total, these flaws put billions of devices at potential risk.
“Attackers can fully take over devices and use that access as a launchpad for further exploitation,” warns the report.
Researchers have demonstrated that certain vulnerabilities, specifically CVE-2025-24252 and CVE-2025-24132, can be exploited to achieve wormable zero-click RCE attacks. This means attackers can compromise AirPlay-enabled devices and deploy malware that spreads automatically to other devices on the same local network.
Oligo explains: “A victim device is compromised while using public WiFi, then connects to their employer’s network—providing a path for the attacker to take over additional devices.”
Oligo warns that CarPlay units are vulnerable under multiple conditions:
- Wi-Fi: If the hotspot password is weak or default, an attacker in close proximity can gain access.
- Bluetooth: Some devices use Bluetooth to transmit credentials over IAP2, allowing attackers to exploit the connection with just visual access to a PIN.
- USB: Wired CarPlay setups are vulnerable via physical connection.
Attack outcomes range from displaying images or playing distracting audio to eavesdropping on in-car conversations and tracking a vehicle’s location.
AirBorne’s risk surface extends far beyond RCE:
- CVE-2025-24270 allows local arbitrary file reads
- Other flaws leak log data, which attackers can use for device fingerprinting or lateral movement
- Several denial-of-service (DoS) flaws can crash AirPlay receivers, opening the door for spoofing and man-in-the-middle attacks
Unlike typical remote exploits that require phishing or file downloads, AirBorne vulnerabilities exploit wireless communication over port 7000, bypassing user protections like Apple’s Mark-of-the-Web (MOTW) system.
Oligo notes: “Many protocol commands were fully accessible in the default settings. These questionable flows led to us digging in further and carrying out this extensive research.”
Oligo responsibly disclosed the findings to Apple, which issued patches across multiple operating systems:
- macOS Sequoia, Sonoma, and Ventura
- iOS, iPadOS 17–18
- tvOS, visionOS, and CarPlay SDKs
In total, 23 vulnerabilities were reported, with 17 receiving CVE IDs and others grouped into broader remediations.
To mitigate exposure, Oligo recommends the following:
- Update all Apple and AirPlay-enabled devices immediately.
- Disable AirPlay Receiver on devices where not in use.
- Restrict AirPlay access to trusted devices via network segmentation or firewall rules on port 7000.
- Set AirPlay permissions to “Current User” instead of “Everyone” to reduce exposure.
Related Posts:
- Unstoppable Malware? Report Warns of “Mobile NotPetya” Outbreak Risk
- Microsoft October Patch Tuesday: Three Zero-Days, 12 Critical RCEs, and a Wormable Message Queuing Bug
- Operation Zero Offers Millions for Telegram Zero-Click Exploits
- Critical Wormable Flaw Discovered in Windows HTTP/3 Protocol Stack