Apple users and security teams just got a major wake up call. Oligo Security has uncovered 17 critical CVEs in Apple’s AirPlay protocol, including wormable zero click remote code execution vulnerabilities that affect billions of devices globally. Dubbed AirBorne, the vulnerabilities enable attackers to take control of macOS, iPhones, CarPlay, and third party devices using AirPlay SDK without user interaction. 

For enterprise environments where personal and corporate Apple devices freely move between networks, this is a potential powder keg. Read on to see how these vulnerabilities work and what organizations, especially those using Beyond Identity, can do right now to mitigate the risk.

How did the AirPlay vulnerabilities happen?

AirPlay was never designed for hardened environments. It communicates over port 7000 using a blend of HTTP and RTSP protocols, with commands sent as property lists. This flexible but loosely validated structure introduced serious flaws in how data is parsed, validated, and executed.

‍

Here is what Oligo discovered:

• CVE-2025-24252, a use after free vulnerability in macOS, enables zero click RCE when chained with CVE-2025-24206, an interaction bypass. Devices set to accept AirPlay connections from “Anyone on the same network” or “Everyone” are especially exposed.
• CVE-2025-24132, a stack based buffer overflow, impacts devices using the AirPlay SDK including third party speakers and CarPlay. This exploit is also wormable and zero click, meaning it can propagate to other nearby devices without user input.
• Additional vulnerabilities such as CVE-2025-24271 and CVE-2025-24137 enable one click RCE by bypassing AirPlay’s weak access controls.

In real world terms, an attacker could compromise a MacBook in a coffee shop using public WiFi, then wait for that same device to connect to a corporate network, creating a bridge for further lateral movement or data theft. Even CarPlay units can be turned into surveillance tools via Bluetooth, WiFi, or USB exploits, turning a vehicle into a mobile attack vector.

Apple has issued patches across macOS, iOS, CarPlay, and other platforms as of January 2025. However, devices remain vulnerable until fully updated and that includes millions of third party products using the AirPlay SDK.

Recommendations for Beyond Identity Customers

To stop unpatched and vulnerable devices from putting your organization at risk, we strongly recommend taking proactive action via policy. These policies target specific versions of iOS and macOS that are unpatched.

We recommend all customers apply a deny policy immediately for the following conditions:

• iOS devices with version less than 18.4.0
• macOS devices with:
  
  • Version less than 13.0.0
  • Version greater than or equal to 13.0.0 and less than 13.7.5
  • Version greater than or equal to 14.0.0 and less than 14.7.5
  • Version greater than or equal to 15.0.0 and less than 15.4.0

While monitoring via policy is an option, we recommend fully denying authentication from these devices until they are updated to a safe version. This ensures that vulnerable endpoints cannot be used as a foothold into corporate systems.

Beyond Identity customers can implement these mitigations using existing policy frameworks. If you are unsure how to create a version check or policy for macOS 15.3 and up, reach out to your customer success representative or request a demo. 

Final Thoughts

This is not just another Apple CVE drop. The AirBorne vulnerabilities expose how default trusted protocols like AirPlay designed for convenience not control can introduce wide scale risk when used in hybrid work environments. With wormable zero click RCE now a reality, it is no longer enough to trust that your devices are up to date. You need real time version aware access controls to protect every login every time.

Stay vigilant. Stay updated. And do not let vulnerable devices in the door.