Oligo Researchers Warn of Serious "AirBorne" Security Vulnerabilities in Apple's AirPlay Ecosystem

A trio of experts from Oligo Security Research have warned of a zero-click remote code execution (RCE) vulnerability in Apple's AirPlay protocol — and while the company has patched the hole in its own products, third-party devices may still be at risk.

"Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices," Oligo's Uri Katz, Avi Lumelsky, and Gal Elbaz explain of their findings. "These vulnerabilities can be chained by attackers to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK."

Two of the discovered vulnerabilities — CVE-2025-24252 and CVE-2025-24132 — are of the highest concern: "[these] allow attackers to weaponize wormable zero-click RCE exploits," the team explains. "This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more."

Oligo disclosed its findings, a total of 23 vulnerabilities that led to 17 CVEs being assigned, privately to Apple, with impacts ranging from arbitrary file access and sensitive information disclosure to man-in-the-middle and denial of service attaches. It's the remote code execution vulnerabilities that are of biggest concern, though, especially if chained with user interaction bypass vulnerability also discovered by the team — allowing an attacker to execute any code on a target AirPlay-compatible device entirely silently.

Apple has confirmed the vulnerabilities and released updates for its own products, but these do not protect users of third-party AirPlay-compatible devices built using the vulnerable version of Apple's software development kit. Oligo advises that users update their devices if an update is available, disable AirPlay receivers when they are not in use, block AirPlay communication at the firewall, and set the AirPlay receiver so it's only accessible for the currently logged-in user. "While this does not prevent all of the issues mentioned in the report," the team admits, "it does reduce the protocol’s attack surface."

More information is available on the Oligo blog.