Full Report
A set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK) exposed unpatched third-party and Apple devices to various attacks, including remote code execution. [...]
Analysis Summary
# Vulnerability: AirBorne Zero-Click Remote Code Execution via AirPlay Flaws
## CVE Details
- CVE ID: CVE-2025-24252, CVE-2025-24132, CVE-2025-24206 (Multiple vulnerabilities discussed)
- CVSS Score: Not explicitly provided in the text (Implied critical due to RCE potential)
- CWE: Not explicitly provided in the text, but involves improper input validation/handling leading to RCE and UI interaction bypass.
## Affected Systems
- Products: Apple AirPlay audio SDK, AirPlay video SDK, CarPlay Communication Plug-in, and all AirPlay-enabled devices including Mac, iPhone, iPad, AppleTV, and tens of millions of third-party devices/TVs using the SDK.
- Versions: All versions prior to vendor patches.
- Configurations: Any device with the AirPlay receiver enabled, typically requiring the attacker to be on the same local network (wireless or peer-to-peer).
## Vulnerability Description
A series of vulnerabilities dubbed "AirBorne" exists within Apple's AirPlay implementation across multiple SDKs (Audio, Video, and CarPlay Communication Plug-in). Specific flaws (CVE-2025-24252 and CVE-2025-24132) allow for the creation of wormable, zero-click Remote Code Execution (RCE) exploits. Additionally, CVE-2025-24206 allows an attacker to bypass the user interaction prompt (the "Accept" click) required for certain AirPlay requests. Chaining these flaws enables an attacker on the local network to gain unauthorized access, deploy malware, and compromise other AirPlay devices the infected device connects to, potentially leading to espionage or ransomware attacks.
## Exploitation
- Status: PoC available (Oligo researchers demonstrated RCE capabilities).
- Complexity: Low (Two of the flaws can be chained into a wormable, zero-click exploit).
- Attack Vector: Network (Requires attacker to be on the same local wireless network as the target).
## Impact
- Confidentiality: High (Potential for malware deployment and espionage).
- Integrity: High (Potential for malware deployment and corruption).
- Availability: High (Device compromise and potential network spread).
## Remediation
### Patches
- Apple has released updates addressing these vulnerabilities across affected operating systems and SDKs. Users are advised to update all Apple devices (iPhone, iPad, Mac, AppleTV) to the latest available software version.
### Workarounds
- Disable the AirPlay receiver functionality if it is not actively being used.
- Restrict AirPlay access using firewall rules to only trusted devices.
- Reduce the attack surface by configuring AirPlay to only allow connections for the current user session.
## Detection
- Detection methods focusing on unusual AirPlay connection attempts or unexpected processes running on endpoint devices following an unprompted AirPlay connection attempt should be implemented. (Specific IOCs were not listed in the provided text.)
## References
- Vendor Advisory (Implied Fixes Released): [support dot apple dot com/en-us/122403]
- Research Blog: [oligo dot security/blog/airborne]
- General Apple Devices Statistics Reference: [security dot apple dot com]