In brief: Security researchers have uncovered a wide-ranging set of vulnerabilities in Apple’s AirPlay protocol that could allow attackers to hijack Apple and third-party devices remotely without user interaction. The exploit chain, dubbed “AirBorne,” includes 23 individual bugs – 17 with official CVEs – and enables zero-click remote code execution on vulnerable systems.

Cybersecurity firm Oligo identified several “critical” flaws in Apple’s native AirPlay protocol and the AirPlay Software Development Kit (SDK) used by audio and automotive manufacturers. While Apple has patched its platforms, many third-party devices remain exposed due to slow OEM update cycles. Oligo estimates that tens of millions of speakers, TVs, and CarPlay-enabled systems could still be vulnerable.

AirBorne is particularly dangerous due to its support for “wormable” exploits – attacks that can spread automatically between devices on the same network without user interaction. A critical flaw (CVE-2025-24252), combined with another vulnerability that bypasses user interaction (CVE-2025-24206), allows attackers to silently take control of macOS systems configured to accept AirPlay connections. A compromised laptop on a public Wi-Fi network could act as a gateway for further infiltrating corporate systems once reconnected to an office network.

Researchers demonstrate proof-of-concept performing remote code execution on a Mac.

The vulnerabilities extend beyond Macs. The researchers noted that third-party speakers and receivers using the AirPlay SDK are vulnerable across all environments. One zero-click flaw (CVE-2025-24132) is a stack-based buffer overflow that allows remote arbitrary code execution – without any clicks or warnings. Given the SDK’s widespread use, these exploits could spread through smart homes, offices, and vehicles.

Oligo credits Apple for cooperating during the responsible disclosure process, noting that updated software is now available for Apple devices. However, the greater risk lies with legacy or unsupported third-party products that may never receive fixes. The researchers estimate attackers could target billions of systems, citing Apple’s figure of 2.35 billion active devices globally and tens of millions of third-party AirPlay implementations.

Oligo plans to publish more detailed attack scenarios in the future. For now, the researchers urge users to keep their Apple devices up to date – Apple issued updates for macOS, iPadOS, and iOS earlier this week. Users should also review network sharing and AirPlay settings – especially when connecting to public or unsecured Wi-Fi networks. Check out Oligo’s analysis for a full list of bugs and more remediation steps.

Image credit: Micael Faccio