AirBorne: Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol

Summary

TL;DROligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices.The vulnerabilities enable an array of attack vectors and outcomes, including:Zero-Click RCEOne-Click RCEAccess control list (ACL) and user interaction bypassLocal Arbitrary File ReadSensitive information disclosureMan-in-the-middle (MITM) attacksDenial of service (DoS)These vulnerabilities can be chained by attackers to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK. The vulnerabilities and the attack vectors they enable have been named “AirBorne” by Oligo Security researchers, as the attacks that they make possible are transmitted via wireless networks or peer–to-peer connections, and allow attackers to fully take over devices and use that access as a launchpad for further exploitation.Oligo has demonstrated that two of the vulnerabilities (CVE-2025-24252 and CVE-2025-24132) allow attackers to weaponize wormable zero-click RCE exploits. This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more. Because AirPlay is a fundamental piece of software for Apple devices (Mac, iPhone, iPad, AppleTV, etc.) as well as third-party devices that leverage the AirPlay SDK, this class of vulnerabilities could have far-reaching impacts.For perspective:While not every Apple device worldwide is vulnerable to RCE via AirBorne, Apple stated in January 2025 that there are 2.35 billion active Apple devices across the globe. In 2018 Apple indicated that there were over 100 million active MacOs users globally. Other A...