What are the AirBorne vulnerabilities?

AirBorne is a collection of security vulnerabilities discovered by Oligo Security Research in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK). These vulnerabilities affect both Apple devices and third-party products that use AirPlay functionality, enabling attackers to remotely compromise devices through wireless networks or peer-to-peer connections.

What specific vulnerabilities make up the AirBorne threat?

The AirBorne threat consists of three main vulnerabilities: CVE-2025-24252 (CVSS score 9.8) - a Use After Free vulnerability; CVE-2025-24132 (CVSS score not available, probably critical) - a Stack-based Buffer Overflow vulnerability; and CVE-2025-24206 (CVSS score 7.7) - an Authentication Bypass vulnerability that enables zero-click attacks by bypassing the 'Accept' click requirement.

What types of attacks do these vulnerabilities enable?

The vulnerabilities enable multiple attack vectors, including: Zero-Click Remote Code Execution (RCE), One-Click RCE, Access control list (ACL) and user interaction bypass, Local Arbitrary File Read, Sensitive information disclosure, Man-in-the-middle (MITM) attacks, and Denial of service (DoS).

How many devices are potentially affected by the AirBorne vulnerabilities?

According to Apple's January 2025 statement, there are 2.35 billion active Apple devices globally and over 100 million active macOS users (as of 2018). Additionally, tens of millions of third-party audio devices with AirPlay support and over 800 vehicle models with CarPlay support could be affected.

What security updates has Apple released to address these vulnerabilities?

Apple has released the following security updates: iOS 18.4 and iPadOS 18.4, macOS Ventura 13.7.5, macOS Sonoma 14.7.5, and macOS Sequoia 15.4, visionOS 2.4, AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1.

What should users do to protect themselves from the AirBorne vulnerabilities?

Users are advised to update all Apple devices to the latest software versions immediately, disable the AirPlay receiver if not in use, create firewall rules to limit AirPlay communication (Port 7000) to trusted devices only if possible, and change AirPlay settings to 'Current User' to reduce the attack surface.

Do the AirBorne vulnerabilities affect third-party devices?

Yes, the AirBorne vulnerabilities affect not only Apple devices but also third-party products that use AirPlay functionality, including audio devices with AirPlay support and vehicles with CarPlay support.

Advisory

Flaws in Apple's AirPlay protocol puts millions of devices at risk

Q: How serious are the AirBorne vulnerabilities?

The AirBorne vulnerabilities are extremely serious. CVE-2025-24252 and CVE-2025-24132 allow attackers to create wormable zero-click RCE exploits - malware could spread automatically between devices on any local network the infected device connects to. The highest CVSS score among these vulnerabilities is 9.8 (Critical).

published: April 29, 2025

Take action: If you needed a great reason to update all your Apple devices (including AirPods, Apple Vision Pro, Apple TVs), how about all those being hacked and used to spread malware? Also, make sure to update all your third-party smart speakers (Sonos, Bose), home theater systems, wireless speakers, smart TVs, and your car that uses Apple CarPlay. If you can't update, disable AirPlay when not in use and set AirPlay settings to "Current User" to reduce the attack surface.

Learn More

Oligo Security Research has uncovered a set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK), which affects both Apple devices and third-party products that use AirPlay functionality.

Collectively named "AirBorne," these vulnerabilities enable attackers to remotely compromise devices through wireless networks or peer-to-peer connections:

CVE-2025-24252 (CVSS score 9.8) - Use After Free vulnerability
CVE-2025-24132 (CVSS score not available, probably critical) - Stack-based Buffer Overflow vulnerability
CVE-2025-24206 (CVSS score 7.7) - Authentication Bypass vulnerability that enables zero-click attacks by bypassing the "Accept" click requirement

The flaws CVE-2025-24252 and CVE-2025-24132 allow attackers to create wormable zero-click RCE exploits - malware could spread automatically between devices on any local network the infected device connects to.

The vulnerabilities enable multiple attack vectors, including:

Zero-Click Remote Code Execution (RCE)
One-Click RCE
Access control list (ACL) and user interaction bypass
Local Arbitrary File Read
Sensitive information disclosure
Man-in-the-middle (MITM) attacks
Denial of service (DoS)

Apple stated in January 2025 that there are 2.35 billion active Apple devices globally and there are over 100 million active macOS users (as of 2018). Tens of millions of third-party audio devices with AirPlay support and over 800 vehicle models with CarPlay support

Apple has released security updates to address these vulnerabilities:

iOS 18.4 and iPadOS 18.4
macOS Ventura 13.7.5, macOS Sonoma 14.7.5, and macOS Sequoia 15.4
visionOS 2.4
AirPlay audio SDK 2.7.1
AirPlay video SDK 3.6.0.126
CarPlay Communication Plug-in R18.1

Users are advised to update all Apple devices to the latest software versions immediately, disable the AirPlay receiver if not in use. If possible, create firewall rules to limit AirPlay communication (Port 7000) to trusted devices only and change AirPlay settings to "Current User" to reduce the attack surface.

Flaws in Apple's AirPlay protocol puts millions of devices at risk

Read More
Another critical Microsoft alert after the patch tuesday …
Google patches Chrome critical and high severity vulnerabilities
NVIDIA and Arm advise patching of actively exploited …
Lazarus hacker group exploits Windows component to gain …
Over 60 Security Vulnerabilities Resolved in AI Assistant …