Zero-click attacks via AirPlay are already in action

Researchers from Oligo Security have found critical flaws in Apple’s AirPlay protocol. These flaws allow attackers to launch zero-click RCE attacks over public Wi-Fi. Fixes are already available in updates for iOS, macOS, tvOS and other platforms.

1. The vulnerabilities, collectively known as AirBorne, open the way for arbitrary code execution on Apple devices and third-party devices that support the AirPlay SDK. The combination of CVE-2025-24252 and CVE-2025-24206 provides zero-click compromise of devices on the network, without requiring user interaction.
2. The attack becomes possible if AirPlay is enabled in “Any on the same network” mode – the most popular configuration in cafes, offices and conference rooms. An infected device can spread malicious code on corporate networks after connecting.

Additional CVEs are related to vulnerabilities such as DoS, data leakage, ACL bypass, authentication errors, and buffer overflows.

AirPlay is Apple’s wireless protocol for streaming media between devices, which is enabled by default on many Macs, iPhones, and Apple TVs. Apple’s SDK is also used in many third-party audio systems.

The issues discovered in 2025 are reminiscent of past Bluetooth (BlueBorne) and Wi-Fi (Kr00k) vulnerabilities, but this time they are large-scale zero-click attacks targeting Apple’s supposedly secure ecosystem.

Fixes are now available in the following updates:

• iOS/iPadOS 18.4, 17.7.6
• macOS Sequoia 15.4 / Sonoma 14.7.5 / Ventura 13.7.5
• tvOS 18.4
• visionOS 2.4
• AirPlay SDK 2.7.1 / 3.6.0.126
• CarPlay Plug-in R18.1

All users, both corporate and consumer, should immediately update all their AirPlay-enabled devices. Employees should be informed of the importance of updating their personal devices to avoid the risk of infecting the corporate network via home or public Wi-Fi.