🔒 AirBorne: Critical Zero-Click Wormable RCE in Apple’s AirPlay Protocol
A Wake-Up Call for Apple Ecosystem Security
A recent discovery by Oligo Security has exposed a set of critical vulnerabilities in Apple’s AirPlay protocol and its SDK—vulnerabilities that open the door to wormable zero-click Remote Code Execution (RCE) attacks. Dubbed “AirBorne”, these flaws could impact billions of Apple and third-party IoT devices globally.
This isn't just an Apple problem. It's a supply-chain level security risk that affects third-party vendors, enterprises, and users relying on AirPlay for media streaming, smart device integration, and CarPlay functionality.
What Is AirBorne? AirBorne is the collective name given to a series of 23 vulnerabilities (17 of which received CVEs) found in Apple’s AirPlay protocol—used widely in macOS, iOS, AppleTV, CarPlay, and millions of third-party smart devices.
The most alarming findings include:
Zero-Click RCE – No user interaction required
One-Click RCE – Minimal user interaction
Wormable Exploits – Automatically spread across local networks
Access Control Bypass, File Read, MITM & DoS
Why It Matters for Businesses and Developers For enterprises, especially those working with embedded systems, streaming devices, smart environments, or fleet vehicles, these vulnerabilities could mean:
Compromised internal networks via infected public WiFi devices
Espionage or data leaks through compromised microphones or file systems
Operational disruption via remote playback, image injection, or DoS
Regulatory and reputational risks tied to exploited customer-facing devices
This should serve as a cautionary tale for any tech business building on third-party SDKs or integrating protocols without sufficient sandboxing and validation layers.
Highlights of the Most Critical Vulnerabilities
🖥️ macOS – Zero-Click Wormable RCE
CVE-2025-24252 + CVE-2025-24206
Exploited through AirPlay receiver in "Everyone" mode over local WiFi.
An infected device on public WiFi could spread malware back into corporate networks.
🔊 AirPlay SDK Devices – Zero-Click RCE CVE-2025-24132
Impacts millions of smart speakers and receivers using the AirPlay SDK.
Vulnerable under all configurations—an ideal worm propagation vector.
🚗 CarPlay – Zero/One-Click RCE Via Bluetooth, USB, or WiFi hotspot.
Risks include location tracking, audio distraction, and potential eavesdropping.
Technical Deep Dive: plist Exploitation The attack surface is largely due to how AirPlay handles property lists (plists)—a structured format used by Apple to exchange data.
One example, CVE-2025-24129, is a type confusion bug in the /getProperty endpoint, where malformed plist input crashes or hijacks device behavior due to lack of CFType validation.
For engineers, this highlights the importance of:
Strict type validation
Segregation of privilege boundaries
Defense-in-depth design for IoT communication protocols
Remediation and Defense Apple has issued patches addressing all reported vulnerabilities. If you're managing Apple or AirPlay-integrated devices:
Update all systems immediately, including third-party AirPlay SDK components.
Disable AirPlay Receiver where not explicitly required.
Enforce strict network segmentation for BYOD and public WiFi devices.
Review ACL configurations and disable “Everyone” access modes.
Final Thoughts The AirBorne vulnerabilities remind us why zero-trust network design, secure SDK usage, and proactive patch management must be cornerstones of any modern infrastructure.
At Bentech, we help companies build secure, maintainable systems with modern software practices—from low-level protocol design to high-level secure APIs.
If you're integrating third-party SDKs or IoT protocols into your product and want to future-proof against threats like AirBorne, reach out to us.