Summary

CVE-2025-24252 is part of “AirBorne”, a critical zero-click vulnerability in Apple’s AirPlay protocol enabling unauthenticated remote code execution (RCE) on over 2.35 billion Apple and tens of millions of third-party devices via Wi-Fi without user interaction.

Impacted Versions

  • Apple OS:
    • iOS 18.4 and iPadOS 18.4 (fixed in 18.4) [6]
    • macOS Ventura 13.7.5, Sonoma 14.7.5 and Sequoia 15.4 (fixed in those releases) [7]
    • visionOS 2.4 (fixed in 2.4) [7]
  • AirPlay SDK (third-party devices):
    • Audio SDK 2.7.1, Video SDK 3.6.0.126, CarPlay Plug-in updates [1]

Vulnerabilities

  • CVE-2025-24252 + CVE-2025-24206 (Use-After-Free & Auth Bypass)
    • Severity: Critical
    • A use-after-free in AirPlay receiver plus an authentication bypass enables zero-click RCE on devices set to “Anyone on the same network” [1][4].
  • CVE-2025-24132 (Stack-Based Buffer Overflow)
    • Severity: Critical
    • An overflow in the AirPlay SDK affecting speakers, TVs and CarPlay systems allows wormable exploits [1][4].
  • CVE-2025-24271 (ACL Bypass)
    • Severity: Critical
    • Improper access-control handling lets attackers send unauthenticated AirPlay commands, weaponisable for RCE [1][4].

Exploitation & Threat

Attackers on the same Wi-Fi network can send malformed plist or RTSP commands (e.g. /setProperty, SETUP) to crash AirPlay services, corrupt memory and achieve code execution in background processes (e.g. ControlCenter, WindowServer) [1]. Demonstrations include hijacking a Mac’s Music app or a Bose speaker to display images and play audio; buffer-overflow chaining enables self-propagation across devices [2][3][4]. Public hotspots and corporate Wi-Fi are prime targets for mass exploitation, lateral movement, espionage or ransomware staging [2].

Mitigations

  1. Patch Immediately: Apply Apple’s updates for iOS 18.4, iPadOS 18.4, macOS Ventura 13.7.5, Sonoma 14.7.5, Sequoia 15.4 and visionOS 2.4 [6][7].
  2. Disable AirPlay Receiver: Turn off AirPlay on devices not in active use [1].
  3. Network Hardening: Restrict port 7000 (AirPlay) via firewalls; limit AirPlay traffic to trusted endpoints [1].
  4. Third-Party Coordination: Contact device manufacturers for SDK firmware updates; verify that Audio 2.7.1/Video 3.6.0.126/CarPlay Plug-in patches are applied [1].
  5. Monitoring & Detection: Audit network logs for unusual /setProperty or SETUP requests; deploy IDS/IPS signatures and Nuclei templates for AirBorne indicators [4].

Resources and Further Reading

  1. Cybersecurity News: AirPlay Zero-Click RCE Vulnerability
  2. The Verge: AirPlay security flaws could help hackers spread malware
  3. Wired: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
  4. Oligo Security: Critical Vulnerabilities in AirPlay Protocol
  5. BleepingComputer: Apple ‘AirBorne’ zero-click AirPlay RCE attacks
  6. Apple Support: About the security content of iOS 18.4 and iPadOS 18.4
  7. Apple Support: Apple security releases
  8. TheHackerNews: Apple backports critical fixes for 3 recent 0-days
  9. Forbes: iOS 18.4.1—Apple Issues Update Now Warning To All iPhone Users
  10. Apple Support: About the security content of iOS 18.4.1 and iPadOS 18.4.1