Cybersecurity researchers have revealed a set of security vulnerabilities in Apple’s AirPlay protocol. This allows attackers to take over sensitive devices that support their own radio technology.
The drawbacks are collectively codenamed air Oligo, an Israeli cybersecurity company.
“These vulnerabilities can be chained by attackers to potentially control devices that support AirPlay, including both Apple devices and third-party devices that leverage the AlplaySDK.”
To attack some of the vulnerabilities like CVE-2025-24252 and CVE-2025-24132, you can create wamable zero-click RCE exploits, allowing bad actors to deploy malware that propagates to devices on the local network to which the inte- ted devices connect.
This paves the way for sophisticated attacks that lead to backdoors and ransomware deployments, potentially creating serious security risks.
In a nutshell, vulnerabilities can allow zero or one-click remote code execution (RCE), access control lists (ACLs) and user interaction bypass, reading any local file, disclosure of information, adversaries (AITM) attacks, and denial of service (DOS).
This includes a chain of CVE-2025-24252 and CVE-2025-24206, providing zero-click RCE for MACOS devices connected to the same network as the attacker. However, for this exploit to succeed, the AirPlay receiver must be turned on and set to “Anyone on the same network” or “Everyone” configuration.
In a hypothetical attack scenario, connecting to a public Wi-Fi network could potentially compromise the victim’s device. If you later connect your device to an enterprise network, you can provide an attacker with a way to violate other devices connected to the same network.
https://www.youtube.com/watch?v=eq8buwfusum
Some of the other notable flaws are listed below –
- CVE-2025-24271 – ACL vulnerability that allows attackers on the same network as sign-in Mac to send AirPlay commands without pairing
- CVE-2025-24137 – Vulnerability that could cause arbitrary code execution or application to be terminated
- CVE-2025-24132 – Stack-based buffer overflow vulnerability that could lead to zero-click RCE in speakers and receivers that utilize the Airplay SDK
- CVE-2025-24206 – Authentication vulnerability that allows attackers on local networks to bypass authentication policies
- CVE-2025-24270 – Vulnerability that allows attackers on local networks to leak sensitive user information
- CVE-2025-24251 – Vulnerability that allows attackers on local networks to cause unexpected app termination
- CVE-2025-31197 – Vulnerability that allows attackers on local networks to cause unexpected app termination
- CVE-2025-30445 – Types of confusion vulnerability that can cause attackers on local networks to cause unexpected app termination
- CVE-2025-31203 – Integer overflow vulnerability that can cause attackers on local networks to cause DOS states
Following responsible disclosure, the identified vulnerabilities have been patched in the following versions –
- iOS 18.4 and iPads 18.4
- iPados 17.7.6
- MacOS Secoia 15.4
- Sonoma Machus 14.7.5
- Macos Ventura 13.7.5
- TVOS 18.4, and
- Visionos 2.4
https://www.youtube.com/watch?v=vcs5g4jwab8
Some of the weaknesses (CVE-2025-24132 and CVE-2025-30422) have also been patched to the AirPlay Audio SDK 2.7.1, AirPlay Video SDK 3.6.0.126, and Carplay communication plugin R18.1.
“For organizations, it’s essential that the company’s Apple devices and other machines that support airplay are updated immediately to the latest software version,” Oligo said.
“Security leaders need to provide employees with clear communication that all personal devices that support AirPlay also need to be updated immediately.”
