AirBorne: Wormable Zero-Click Exploitation of AirPlay Protocol Threatens CarPlay Ecosystems
- easycore
- Automotive security , Vulnerability research
- April 29, 2025
Table of Contents
Abstract
Oligo Security has identified 23 vulnerabilities—17 assigned CVEs—within Apple’s AirPlay protocol and AirPlay SDK, impacting native Apple devices and third-party implementations, including CarPlay-enabled automotive infotainment systems. Two critical vulnerabilities, CVE-2025-24132 (stack-based buffer overflow) and CVE-2025-24252 (use-after-free), permit wormable zero-click remote code execution (RCE) under certain configurations.
Reference: Full vulnerability details are available in Oligo Security’s AirBorne report.
Key Risks to Automotive Systems
The identified vulnerabilities facilitate compromise of CarPlay environments through network-adjacent or local physical vectors:
- Zero-Click & One-Click RCE
- CVE-2025-24132 enables full compromise of CarPlay devices without user interaction.
- CVE-2025-24252 chained with CVE-2025-24206 permits wormable exploitation in macOS-powered automotive deployments.
- Lateral Propagation
- Wormable RCE enables autonomous spread between AirPlay-enabled devices across in-vehicle and external networks.
- Attack Surfaces
- Wi-Fi: Exploitable where CarPlay hotspots use default or predictable credentials.
- Bluetooth: Credential leakage over IAP2 protocol allows proximity-based compromise.
- USB: Wired CarPlay interfaces are susceptible via direct connection.
Potential Automotive Impacts
- Injection of distracting media or visuals into the driver’s interface
- Geolocation tracking of vehicles via compromised infotainment units
- Passive audio surveillance via embedded microphones
- Pivoting from infotainment to other in-vehicle networks or telematics systems
Technical Basis
AirBorne exploits arise from insecure handling of property list (plist) arguments in AirPlay control commands. Vulnerability classes include:
- Memory corruption: stack-based buffer overflows (CVE-2025-24132), use-after-free conditions (CVE-2025-24252, CVE-2025-31197)
- Type confusion: improper CFType validation during plist parsing (CVE-2025-24137, CVE-2025-30445)
- Access control bypasses: circumvention of AirPlay ACLs (CVE-2025-24271) and “click-to-accept” authorization (CVE-2025-24206)
- Resource exhaustion: uncontrolled memory consumption leading to service crashes
Such weaknesses enable both code execution and broader post-exploitation objectives, including credential theft and man-in-the-middle (MITM) positioning.
Recommended Mitigations for Automotive Environments
- Immediate software updates to CarPlay devices and connected Apple endpoints
- Restrict AirPlay receiver settings to “Current User”
- Disable AirPlay receiver if functionality is non-essential
- Apply network segmentation and firewall rules to block port 7000 except for trusted hosts
Conclusion
AirBorne exemplifies how consumer-facing connectivity protocols can introduce critical vulnerabilities into automotive infotainment environments. The presence of wormable zero-click RCE pathways underscores the necessity of secure-by-design protocol implementation, robust input validation, and proactive update policies across the automotive software supply chain.