A series of vulnerabilities in Apple’s AirPlay Protocol and AirPlay Software Development Kit (SDK) make Apple and third-party devices vulnerable to various attacks. According to cybersecurity company Oligo Security, which discovered the vulnerabilities, they can be exploited for zero-click and one-click remote code execution (RCE) attacks. Man-in-the-middle (MITM) attacks are also possible.
Oligo Security reported a total of 23 security issues to Apple. This collection of vulnerabilities, collectively known as “AirBorne”, was patched by Apple on March 31. Security updates have been released for iPhones and iPads (iOS 18.4 and iPadOS 18.4), Macs (macOS Ventura, macOS Sonoma, and macOS Sequoia), and the Apple Vision Pro (visionOS 2.4).
In addition to these device updates, Apple has also updated the AirPlay audio SDK, the AirPlay video SDK, and the CarPlay Communication Plug-in to address the issues.
Wormable zero-click attacks
The name Airborne is well chosen, as malicious actors can easily gain access to devices. Although the AirBorne vulnerabilities can only be exploited by attackers on the same wireless network or peer-to-peer connection, they can be used to take over vulnerable devices. These devices can then be used to hack other AirPlay devices on the same network.
Security researchers at Oligo have demonstrated that attackers can combine two security vulnerabilities (CVE-2025-24252 and CVE-2025-24132) to create ‘wormable’ zero-click remote code execution (RCE) exploits. This means that malware can spread independently between devices without requiring user permission or actions.
Additionally, the CVE-2025-24206 vulnerability enables attackers to bypass the required “Accept” click on AirPlay requests. This can be combined with other vulnerabilities to carry out zero-click attacks.
These types of vulnerabilities are not new to Apple. Earlier this year, the company had to patch a dangerous zero-day vulnerability in Safari’s WebKit engine. This was already being actively exploited in advanced attacks.
Far-reaching consequences
An attacker can take over an AirPlay device and automatically spread malware to other AirPlay devices on any local network to which the infected device is connected, warns Oligo. This can lead to advanced attacks, including espionage, ransomware, supply chain attacks, and others. If one infected iPhone (personal or work device) is connected to a corporate network, it can infect all other iPhones and Mac devices on the same corporate network.
AirPlay is a fundamental part of Apple devices (Mac, iPhone, iPad, AppleTV, etc.). However, it is also found in various third-party devices that utilize the AirPlay SDK. This means that these vulnerabilities could have far-reaching consequences.
Apple has more than 2.35 billion active devices worldwide (including iPhones, iPads, Macs, and others). Oligo estimates that there are also tens of millions of third-party devices, such as speakers and TVs with AirPlay support. There are also car infotainment systems that support CarPlay.
Recommended measures
The cybersecurity company advises organizations to immediately update all business Apple devices and AirPlay devices to the latest software release. Additionally, it is advisable to ask employees to update all their personal AirPlay devices as well.
Additional measures users can take to limit the potential for attack include:
- Update all Apple devices to the latest version
- Disable the AirPlay receiver when not in use
- Restrict AirPlay access to trusted devices using firewall rules
- Reduce the attack surface by allowing AirPlay only for the current user
System administrators who manage Apple devices should force the update as soon as possible.