Blog
April 30, 2025

Wormable Zero-Click Wireless Vulnerabilities Threaten Apple Ecosystem and 3rd-Party IoT Devices

Supporting image: Wormable Zero-Click Wireless Vulnerabilities Threaten Apple Ecosystem and 3rd-Party IoT Devices

Security researchers at Oligo Security have demonstrated a family of vulnerabilities in Apple’s AirPlay protocol that allow attackers to take control of targeted devices. Dubbed “AirBorne,” these vulnerabilities affect not just Apple devices but also third-party products that incorporate the AirPlay SDK, creating a vast attack surface that spans billions of potential targets.

Wormable Zero-Click Attacks Enable Lateral Movement Through Networks

What makes several of these vulnerabilities particularly concerning is their “wormable” nature. Once attackers compromise a single device, the infection can spread automatically to other vulnerable devices on any network to which the infected device is connected. This capability creates a potentially dangerous scenario in which an attack could rapidly propagate throughout an organization.

Two of the vulnerabilities (CVE-2025-24252 and CVE-2025-24132) allow attackers to weaponize wormable zero-click Remote Code Execution exploits, according to the Oligo research team. Attackers can gain complete control without requiring any user interaction, creating perfect conditions for widespread compromise.

In one particularly alarming attack scenario, attackers could compromise a macOS device connected to public Wi-Fi, then pivot and compromise additional devices later when it connects to a corporate network, allowing the attacker to spread throughout the organization. This attack method resembles techniques used in many corporate breaches where lateral movement occurs through wireless vectors.

Range of Impacted Devices

The scope of potentially vulnerable devices is staggering:

  • Apple stated in January 2025 that there are 2.35 billion active Apple devices worldwide
  • There are more than 100 million macOS users globally
  • Tens of millions of third-party audio devices support AirPlay
  • Over 800 vehicle models come with CarPlay capabilities

The vulnerabilities affect macOS computers, iPhones, iPads, Apple TVs, Vision Pro headsets, and various third-party devices like wireless speakers, receivers, and vehicle infotainment systems.

Multiple Attack Scenarios Demonstrated

Researchers documented several different attack scenarios, including Remote Code Execution (RCE), unauthorized device access, sensitive information disclosure, and denial-of-service (DoS) attacks.

  1. Remote Code Execution (RCE)
    • Zero-Click RCE on macOS:
      • Vulnerability CVE-2025-24252 involves a use-after-free flaw, which allows remote attackers to execute arbitrary code without requiring user interaction. When combined with CVE-2025-24206 (user interaction bypass), it enables attackers to compromise macOS devices simply connected to the same network. This attack scenario is notably wormable, allowing attackers to propagate malware across networks automatically.
    • One-Click RCE on macOS:
      • CVE-2025-24271 and CVE-2025-24137 combined exploit an ACL vulnerability, facilitating attackers to send unauthorized AirPlay commands, achieving RCE after minimal user interaction. This vulnerability primarily affects devices configured for “Current User” AirPlay permissions.
    • AirPlay SDK Zero-Click RCE:
      • CVE-2025-24132, a stack-based buffer overflow vulnerability affecting speakers and receivers, allows attackers to execute malicious code without user interaction. These can range from harmless actions, such as playing audio, to severe invasions, including eavesdropping through the device’s microphone.
    • CarPlay Device RCE:
      • CVE-2025-24132 also affects CarPlay units, allowing attackers to compromise systems wirelessly via WiFi hotspots or Bluetooth pairing procedures. Risks include driver distraction, unauthorized surveillance, and vehicle tracking.
  2. Sensitive Information Disclosure
    • Vulnerabilities such as CVE-2025-24270 expose sensitive data across networks, enabling attackers to extract valuable information, fingerprint devices, and access confidential logs.
  3. Local Arbitrary File Read
    • CVE-2025-24270 also facilitates unauthorized local file access, potentially leading to the extraction of sensitive data, credential compromise, and privilege escalation.
  4. Access Control and User Interaction Bypasses
    • Critical vulnerabilities (including CVE-2025-24271 and CVE-2025-24206) enable attackers to bypass standard access controls and user interaction prompts, facilitating unauthorized access and the execution of malicious AirPlay commands without proper authentication.
  5. Denial of Service and Additional Risks
    • Various additional vulnerabilities (including CVE-2025-24177, CVE-2025-24131, CVE-2025-31203, and others) enable attackers to initiate Denial-of-Service (DoS) attacks, crash services, and remotely log users out.

Security Posture Implications

Oligo Security worked with Apple to responsibly disclose 23 vulnerabilities, resulting in the issuance of 17 CVEs. Apple has released software updates to address these vulnerabilities; however, many devices may remain unpatched and vulnerable.

For enterprises, these vulnerabilities present significant challenges. Any organization with Apple devices or AirPlay-compatible equipment could be vulnerable to wireless lateral movement through their networks. This situation could facilitate data exfiltration, ransomware deployment, or other high-impact attacks, while entirely invisible to traditional detection methods.

Escalating Apple Exploits Seen in The Wild

This family of vulnerabilities comes as the latest piece of evidence for what appears to be an increasingly exploited and vulnerable Apple device ecosystem. In 2025, Apple released a series of patches against a wave of new zero-day vulnerabilities that attackers had been exploiting in the wild.

2025: Summary of Exploited Apple Zero-Days

DateCVEComponentExploited In The Wild?Platforms
Jan 28, 2025CVE-2025-24085CoreMedia✅ YesiOS, iPadOS, macOS, tvOS, visionOS, watchOS
Feb 10, 2025CVE-2025-24200USB Restricted Mode✅ YesiOS, iPadOS
Mar 11, 2025CVE-2025-24201WebKit✅ YesiOS, iPadOS, Safari
Apr 16, 2025CVE-2025-31200CoreAudio✅ YesiOS, iPadOS, macOS
Apr 16, 2025CVE-2025-31201RPAC (Pointer Authentication)✅ YesiOS, iPadOS, macOS

Why Wireless Airspace Defense Is Critical

The AirBorne vulnerabilities highlight a critical blind spot in most organizations’ security posture: their complete wireless airspace. Traditional security tools focus on wired networks and endpoints, and occasionally wi-fi, but fail to detect threats that propagate through the many out-of-band wireless networks that exist in enterprise and government airspaces.

By monitoring wireless connections in the 100 MHz to 7.125 GHz range, Bastille provides visibility into all wireless devices operating within your environment, including Wi-Fi, Bluetooth, cellular, and proprietary protocols such as AirPlay. This comprehensive monitoring allows security teams to detect attacks that traditional security tools miss.

When attackers attempt to exploit wireless vulnerabilities, such as those in AirPlay, Bastille’s sensor arrays detect these connection attempts in real-time, identifying the specific location of both the attacking device and the vulnerable targets. This visibility allows for an immediate response before sensitive systems are compromised.

As wireless attack vectors continue to proliferate, organizations must extend their security controls beyond traditional network boundaries. The AirBorne vulnerabilities demonstrate that complete security requires visibility into every wireless network operating in your environment.

For more information on how Bastille can help protect your organization from wireless threats, please contact our team to arrange a demonstration.

Close your cybersecurity gaps with AI-driven wireless visibility

See Bastille in action with a live demo from our experts in wireless threat detection.