Wormable AirPlay Flaws Threaten Apple & Third-Party Devices

by Justin Erickson

Oligo Security researchers have disclosed 23 vulnerabilities in Apple’s AirPlay protocol and SDK—17 of which received CVE IDs. Two core flaws, CVE-2025-24252 (use-after-free) and CVE-2025-24132 (stack buffer overflow), can be chained to deliver wormable, zero-click remote-code execution against Macs, iPhones, Apple TVs, CarPlay units, and many other third-party speakers. An attacker on the same Wi-Fi network—or within Bluetooth range of some car systems—could silently seize a device, then propagate malware to anything it later connects to. Apple patched the issues in macOS Sequoia 15.4, iOS/iPadOS 18.4, tvOS 18.4, visionOS 2.4, and updated AirPlay SDKs. Users who have not updated remain exposed to these vulnerabilities and should update their devices as soon as possible.