Apple AirPlay Zero-Click RCE Vulnerability (AirBorne)

Summary

CVE-2025-24252 is part of “AirBorne”, a critical zero-click vulnerability in Apple’s AirPlay protocol enabling unauthenticated remote code execution (RCE) on over 2.35 billion Apple and tens of millions of third-party devices via Wi-Fi without user interaction.

Impacted Versions

Apple OS:

• iOS 18.4 and iPadOS 18.4 (fixed in 18.4) [6]

• macOS Ventura 13.7.5, Sonoma 14.7.5 and Sequoia 15.4 (fixed in those releases) [7]

• visionOS 2.4 (fixed in 2.4) [7]

AirPlay SDK (third-party devices):

• Audio SDK 2.7.1, Video SDK 3.6.0.126, CarPlay Plug-in updates [1]

Vulnerabilities

CVE-2025-24252 + CVE-2025-24206 (Use-After-Free & Auth Bypass)

• Severity: Critical

• A use-after-free in AirPlay receiver plus an authentication bypass enables zero-click RCE on devices set to “Anyone on the same network” [1][4].

CVE-2025-24132 (Stack-Based Buffer Overflow)

• Severity: Critical

• An overflow in the AirPlay SDK affecting speakers, TVs and CarPlay systems allows wormable exploits [1][4].

CVE-2025-24271 (ACL Bypass)

• Severity: Critical

• Improper access-control handling lets attackers send unauthenticated AirPlay commands, weaponisable for RCE [1][4].

Exploitation & Threat

Attackers on the same Wi-Fi network can send malformed plist or RTSP commands (e.g. /setProperty, SETUP) to crash AirPlay services, corrupt memory and achieve code execution in background processes (e.g. ControlCenter, WindowServer) [1]. Demonstrations include hijacking a Mac’s Music app or a Bose speaker to display images and play audio; buffer-overflow chaining enables self-propagation across devices [2][3][4]. Public hotspots and corporate Wi-Fi are prime targets for mass exploitation, lateral movement, espionage or ransomware staging [2].

Mitigations

1. Patch Immediately: Apply Apple’s updates for iOS 18.4, iPadOS 18.4, macOS Ventura 13.7.5, Sonoma 14.7.5, Sequoia 15.4 and visionOS 2.4 [6][7].

2. Disable AirPlay Receiver: Turn off AirPlay on devices not in active use [1].

3. Network Hardening: Restrict port 7000 (AirPlay) via firewalls; limit AirPlay traffic to trusted endpoints [1].

4. Third-Party Coordination: Contact device manufacturers for SDK firmware updates; verify that Audio 2.7.1/Video 3.6.0.126/CarPlay Plug-in patches are applied [1].

5. Monitoring & Detection: Audit network logs for unusual /setProperty or SETUP requests; deploy IDS/IPS signatures and Nuclei templates for AirBorne indicators [4].

Resources and Further Reading

1. Cybersecurity News: AirPlay Zero-Click RCE Vulnerability

2. The Verge: AirPlay security flaws could help hackers spread malware

3. Wired: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi

4. Oligo Security: Critical Vulnerabilities in AirPlay Protocol

5. BleepingComputer: Apple ‘AirBorne’ zero-click AirPlay RCE attacks

6. Apple Support: About the security content of iOS 18.4 and iPadOS 18.4

7. Apple Support: Apple security releases

8. TheHackerNews: Apple backports critical fixes for 3 recent 0-days

9. Forbes: iOS 18.4.1—Apple Issues Update Now Warning To All iPhone Users

10. Apple Support: About the security content of iOS 18.4.1 and iPadOS 18.4.1