A new set of vulnerabilities in Apple’s AirPlay protocol and SDK is raising serious red flags across the security community.

According to Oligo Security, a total of 23 flaws—collectively named “AirBorne”—could allow attackers to remotely take over AirPlay-enabled devices, in some cases with zero user interaction.

That includes not only Apple products but also third-party hardware built with the AirPlay SDK.

What makes this particularly concerning is that two of the vulnerabilities, CVE-2025-24252 and CVE-2025-24132, are wormable and support zero-click remote code execution (RCE).

That means an attacker could compromise one device and automatically spread to others on the same network, with no human involvement. It’s the kind of exploit chain that could serve as a launchpad for ransomware, supply-chain attacks, or even espionage operations.

CVE-2025-24252, a use-after-free bug in macOS, becomes especially dangerous when chained with CVE-2025-24206, a user interaction bypass. Together, they allow zero-click RCE on macOS devices that have AirPlay enabled and set to “Anyone on the same network” or “Everyone.” Once one system is hit, it can start spreading across the local network—a worst-case scenario in enterprise environments.

Oligo also highlighted CVE-2025-24271, an access control issue that lets unauthenticated users send AirPlay commands without pairing. When combined with CVE-2025-24137, this creates a path for one-click RCE. Meanwhile, CVE-2025-24132, a stack-based buffer overflow, supports zero-click RCE on speakers, receivers, and even CarPlay devices.

This isn’t just theoretical. In their disclosure, Oligo demonstrated a real-world exploit of CVE-2025-24252 and emphasized how a compromised AirPlay device on an enterprise network could allow attackers to move laterally, targeting additional systems.

The CarPlay angle adds another layer of risk—with attackers potentially able to push content to displays, hijack audio output, eavesdrop on conversations, or track vehicle locations under certain conditions.

Apple has already issued patches in recent iOS, iPadOS, and macOS updates, developed in cooperation with Oligo. In total, 17 CVE identifiers have been assigned so far. The remaining vulnerabilities were also addressed as part of ongoing hardening efforts.

This situation serves as a clear reminder of how widely adopted protocols like AirPlay can create unexpected attack surfaces, especially when integrated across consumer and enterprise environments.