{"id":28978,"date":"2025-05-19T13:18:41","date_gmt":"2025-05-19T12:18:41","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=28978"},"modified":"2025-05-19T13:18:41","modified_gmt":"2025-05-19T12:18:41","slug":"airborne-wormable-zero-click-vulnerability-in-apple-airplay","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/airborne-wormable-zero-click-vulnerability-in-apple-airplay\/28978\/","title":{"rendered":"AirBorne: Attacks on Apple devices through vulnerabilities in AirPlay"},"content":{"rendered":"

Researchers have discovered<\/a> a series of major security flaws in Apple AirPlay. They\u2019ve dubbed this family of vulnerabilities \u2013 and the potential exploits based on them \u2013 \u201cAirBorne\u201d. The bugs can be leveraged individually or in combinations to carry out wireless attacks on a wide range of AirPlay-enabled hardware.<\/p>\n

We\u2019re mainly talking about Apple devices here, but there are also a number of gadgets from other vendors that have this tech built in \u2013 from smart speakers to cars. Let\u2019s dive into what makes these vulnerabilities dangerous, and how to protect your AirPlay-enabled devices from potential attacks.<\/p>\n

What is Apple AirPlay?<\/h2>\n

First, a little background. AirPlay is an Apple-developed suite of protocols used for streaming audio and, increasingly, video between consumer devices. For example, you can use AirPlay to stream music from your smartphone to a smart speaker, or mirror your laptop screen on a TV.<\/p>\n

All this happens wirelessly: streaming typically uses Wi-Fi, or, as a fallback, a wired local network. It\u2019s worth noting that AirPlay can also operate without a centralized network \u2013 be it wired or wireless \u2013 by relying on Wi-Fi Direct, which establishes a direct connection between devices.<\/p>\n

\"AirPlay<\/a>

AirPlay logos for video streaming (left) and audio streaming (right). These should look familiar if you own any devices made by the Cupertino company. Source<\/a><\/p><\/div>\n

Initially, only certain specialized devices could act as AirPlay receivers. These were AirPort Express routers, which could stream music from iTunes through the built-in audio output. Later, Apple TV set-top boxes, HomePod smart speakers, and similar devices from third-party manufacturers joined the party.<\/p>\n

However, in 2021, Apple decided to take things a step further \u2013 integrating an AirPlay receiver into macOS. This gave users the ability to mirror their iPhone or iPad screens on their Macs. iOS and iPadOS were next to get AirPlay receiver functionality \u2013 this time to display the image from Apple Vision Pro mixed-reality headsets.<\/p>\n

\"AirPlay<\/a>

AirPlay lets you stream content either over your regular network (wired or wireless), or by setting up a Wi-Fi Direct connection between devices. Source<\/a><\/p><\/div>\n

CarPlay, too, deserves a mention, being essentially a version of AirPlay that\u2019s been adapted for use in motor vehicles. As you might guess, the vehicle\u2019s infotainment system is what receives the stream in the case of CarPlay.<\/p>\n

So, over two decades, AirPlay has gone from a niche iTunes feature to one of Apple\u2019s core technologies that underpins a whole bunch of features in the ecosystem. And, most importantly, AirPlay is currently supported by hundreds of millions, if not billions, of devices, and many of them can act as receivers.<\/p>\n

What\u2019s AirBorne, and why are these vulnerabilities a big deal?<\/h2>\n

AirBorne is a whole family of security flaws in the AirPlay protocol and the associated developer toolkit \u2013 the AirPlay SDK. Researchers have found a total of 23 vulnerabilities, which, after review, resulted in 17 CVE entries being registered. Here\u2019s the list, just to give you a sense of the scale of the problem:<\/p>\n

    \n
  1. CVE-2025-24126<\/a><\/li>\n
  2. CVE-2025-24129<\/a><\/li>\n
  3. CVE-2025-24131<\/a><\/li>\n
  4. CVE-2025-24132<\/a><\/li>\n
  5. CVE-2025-24137<\/a><\/li>\n
  6. CVE-2025-24177<\/a><\/li>\n
  7. CVE-2025-24179<\/a><\/li>\n
  8. CVE-2025-24206<\/a><\/li>\n
  9. CVE-2025-24251<\/a><\/li>\n
  10. CVE-2025-24252<\/a><\/li>\n
  11. CVE-2025-24270<\/a><\/li>\n
  12. CVE-2025-24271<\/a><\/li>\n
  13. CVE-2025-30422<\/a><\/li>\n
  14. CVE-2025-30445<\/a><\/li>\n
  15. CVE-2025-31197<\/a><\/li>\n
  16. CVE-2025-31202<\/a><\/li>\n
  17. CVE-2025-31203<\/a><\/li>\n<\/ol>\n
    \"AirBorne<\/a>

    You know how any serious vulnerability with a modicum of self-respect needs its own logo? Yeah, AirBorne\u2019s got one too. Source<\/a><\/p><\/div>\n

    These vulnerabilities are quite diverse: from remote code execution (RCE) to authentication bypass. They can be exploited individually or chained together. So, by exploiting AirBorne, attackers can carry out the following types of attacks:<\/p>\n