Billions of Apple Devices at Risk from “AirBorne” AirPlay Vulnerabilities

Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how these flaws enable remote control (RCE) and data theft on iPhones, Macs, CarPlay, and more.

Cybersecurity firm Oligo has revealed major vulnerabilities, dubbed AirBorne, in Apple’s AirPlay, a wireless system used by iPhones, iPads, Macs, and third-party devices for audio and video streaming. These flaws in Apple’s AirPlay software tools for other companies could let hackers take control of devices on the same Wi-Fi network.

Apple has released updates for its devices and provided fixes to third-party makers, urging users to update. However, not all companies update quickly. Oligo identified 23 vulnerabilities, leading to 17 security identifiers (CVEs), that could enable various attacks, including taking complete control of a device without user interaction (Zero-Click RCE), reading any file (Local Arbitrary File Read), stealing private information, and intercepting communications. Attackers could combine these to fully control devices.

Two key vulnerabilities (CVE-2025-24252 and CVE-2025-24132) could allow wormable attacks, spreading harmful software automatically across networks. This could lead to serious issues like spying and ransomware. Millions of Apple devices and third-party AirPlay devices, including those in cars (CarPlay), are potentially affected.

Oligo demonstrated Zero-Click RCE on macOS (CVE-2025-24252) under certain network settings, potentially allowing malware to spread. They also found One-Click RCE on macOS (CVE-2025-24271) under different settings. Speakers and receivers using AirPlay SDK are vulnerable to Zero-Click RCE (CVE-2025-24132), allowing eavesdropping. CarPlay devices are also at risk of RCE, which could distract drivers or enable tracking.

Oligo’s research found that many basic AirPlay commands were accessible without strong security. The vulnerabilities often relate to how the AirPlay software handles data in a format called “plist.”

For your information, plist is AirPlay’s system that combines HTTP and RTSP protocols to communicate over port 7000. Commands, particularly those with extra information, are sent as HTTP data in plist format.

Oligo gave one example of a type of confusion vulnerability (CVE-2025-24129) that happens because the AirPlay software doesn’t properly check the type of data it receives in a plist. If it expects a list of items but gets something else, it can cause the program to crash.

Crashing a device’s AirPlay could allow attackers to intercept communications. For example, crashing the AirPlay server on a device could allow an attacker to pretend to be that device on the network and intercept communications. They gave a scenario where an attacker could crash a TV’s AirPlay, fake its identity, and then record a meeting being streamed to it, researchers noted.

Oligo’s in-depth technical report published on April 29, 2025, urges users and organizations to immediately update all Apple and third-party AirPlay devices to the latest software. They also suggest disabling AirPlay when not in use and limiting AirPlay access on networks.

In a comment to Hackread.com, cybersecurity expert and Head of Business Product at NordPass, Karolis Arbaciauskas stated that “Many third-party AirPlay devices don’t get timely updates like Apple’s, so vulnerabilities may remain. To exploit them, an attacker needs access to your Wi-Fi, so secure your router with updates and a strong password.”

“Factory-set passwords are often weak, so always change them. Use at least eight random characters with numbers and symbols, and consider a password manager to make this easier,” Karolis advised. “Avoid using AirPlay on public Wi-Fi, which is often insecure. If possible, use your phone’s hotspot instead, or at least avoid open networks and use a VPN.”