Security researchers identified 23 vulnerabilities in Apple’s AirPlay Protocol and AirPlay Software Development Kit. The vulnerabilities, collectively dubbed “AirBorne,” could expose devices to remote code execution (RCE) attacks. Such exploits could allow bad actors to take full control of Apple and third-party devices over a local network without any user interaction.
Possible impacts of these Apple vulnerabilities
Security firm Oligo reported that the AirBorne flaws enable a variety of attack vectors, including zero-click and one-click RCEs, access control list bypass, man-in-the-middle, and denial-of-service exploits. It warned that, while only attackers on the same network can exploit a vulnerable device, a successful breach could enable malware to spread automatically to other nearby devices using AirPlay.
“This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more,” the researchers wrote, noting that a device compromised on public Wi-Fi could later infect others when connected to a workplace network.
“Because AirPlay is a fundamental piece of software for Apple devices (Mac, iPhone, iPad, AppleTV, etc.) as well as third-party devices that leverage the AirPlay SDK, this class of vulnerabilities could have far-reaching impacts.”
SEE: Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks
Apple’s response to these security vulnerabilities
All vulnerabilities were disclosed to Apple, and affected devices were patched on March 31 with the release of iOS and iPadOS 18.4, macOS Ventura 13.7.5, macOS Sonoma 14.7.5, macOS Sequoia 15.4, and visionOS2.4. They were also patched in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1.
AirPlay relies on property list (plist)-formatted command arguments transmitted over port 7000 using a combination of HTTP and RTSP. Plist is a structured data format used by Apple. Many of the vulnerabilities stem from how these plists are parsed by Apple’s Core Foundation APIs, the researchers said.
Only 17 CVEs were issued for the 23 flaws, as some of them were grouped together based on their remediation method and time of resolution. The researchers provided some details on some of the AirBorne vulnerabilities that can lead to zero-click RCE attacks.
- CVE-2025-24252, a use-after-free flaw in macOS, enables a zero-click RCE on devices set to accept AirPlay from anyone on the same network.
- CVE-2025-24271 is an Access Control List vulnerability that lets attackers send AirPlay commands without pairing, also enabling a one-click RCE on macOS devices configured for “Current User” access.
- CVE-2025-24132 is a stack-based buffer overflow in the AirPlay SDK that allows zero-click RCE on speakers, receivers, and CarPlay devices. “Examples of attack outcomes include distracting drivers through image display and playing audio, to more nefarious actions like eavesdropping on conversations and tracking a vehicle’s location,” the Oligo researchers wrote.
