Multiple vulnerabilities disclosed on multiple Apple operating systems
Published: May 1, 2025
Topics on this page:
Overview:
Security Researchers at Oligo have released a notification about an assortment of new vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK). The vulnerabilities permit a raft of attack methods, including Remote Code Execution, Access Bypass, and Denial of Service. Attackers can chain these vulnerabilities to potentially take control of devices that support AirPlay – including both Apple devices and third-party devices that leverage the AirPlay SDK.
Fortunately, Oligo responsibly disclosed this and worked with Apple to validate patches before disclosing the vulnerability, so we recommend ensuring that Apple devices are fully patched to mitigate these vulnerabilities.
Third-party products that support AirPlay should be reviewed with their vendor for patches/firmware updates. Automobiles will also need head unit updates; however, they are less vulnerable as a malicious device would have to be connected to them via Bluetooth first.
Summary:
The “AirBorne” vulnerability is a serious zero-click, remote code execution (RCE) exploit affecting Apple AirPlay-enabled devices. It allows attackers to take control of devices without any user interaction via Wi-Fi, enabling malware deployment and further network exploitation. This vulnerability, specifically impacting CVE-2025-24252, is transmitted through wireless networks and can be weaponized to spread malware and potentially lead to other sophisticated attacks.
Key aspects of the AirBorne vulnerability:
- Zero-click RCE: Attackers can exploit the vulnerability without user interaction or prompting.
- Wide impact: It affects over 2.35 billion Apple devices and tens of millions of third-party devices.
- Wormable: The vulnerability can be used to create self-spreading malware, impacting other devices on the same network.
- Network-based: The exploit is transmitted through Wi-Fi, making it easy to spread across networks.
- Potential for further attacks: Full control of the compromised device can be used as a launchpad for more sophisticated attacks, such as espionage, ransomware, or supply-chain attacks.
Vulnerability details:
User interaction bypass
CVE: CVE-2025-24206
ACL issues and bypass
CVE: CVE-2025-24271
Remote Code Execution (RCE)
- CVE: CVE-2025-24132
- CVE: CVE-2025-30422
- CVE: CVE-2025-24252
- CVE: CVE-2025-24137
- CVE: CVE-2025-31197
Local Arbitrary File Read
CVE: CVE-2025-24270
Additional Vulnerabilities
- CVE: CVE-2025-24126
- CVE: CVE-2025-24129
- CVE: CVE-2025-24131
- CVE: CVE-2025-24177
- CVE: CVE-2025-24179
- CVE: CVE-2025-24251
- CVE: CVE-2025-30445
- CVE: CVE-2025-31202
- CVE: CVE-2025-31203
Impacted versions:
| Apple operating systems | Versions affected |
|---|---|
| iPadOS: | Up to (excluding) 17.7.6 From (including) 18.0 up to (excluding) 18.4 |
| iOS: | Up to (excluding) 18.4 |
| MacOS: | Up to (excluding) 13.7.5 From (including) 14.0 up to (excluding) 14.7.5 From (including) 15.0 up to (excluding) 15.4 |
| TVOS: | Up to (excluding) 18.4 |
| visionOS: | Up to (excluding) 2.4 |
Recommendations:
Patch devices to an unaffected version listed above as soon as possible.
Support:
As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.
