Apple AirPlay "AirBorne" vulnerabilities: Find impacted devices

How to find Apple AirPlay devices on your network

runZero Team

Updated May 8, 2025, 12:00pm EDT

Latest Apple AirPlay vulnerabilities #

Several vulnerabilities, collectively known as AirBorne by Oligo Security researchers, were disclosed in the latest releases of its macOS, tvOS, iOS, and iPadOS operating systems.

CVE-2025-24252 and has been rated critical with a CVSS score of 9.8.
CVE-2025-24206 and has been rated high with a CVSS score of 7.7.
CVE-2025-24132 and has been rated medium with a CVSS score of 6.5.

What is the impact? #

When exploited independently or chained together, local attackers can perform several different attacks on vulnerable devices including remote code execution and sensitive information disclosure.

CVE-2025-24252 potentially allows a local attacker to remotely execute code. When chained together with CVE-2025-24206, a local attacker could potentially attack other devices connected to an Apple device through the AirPlay protocol.

CVE-2025-24132 allows a local attacker the potential ability to remotely execute code on third-party devices using Apple's AirPlay SDK. For devices with a microphone, successful exploitation could lead to information disclosure through eavesdropping.

Are updates available? #

The Apple-specific device issues have been resolved in the following operating system updates:

macOS Ventura 13.7.5, Sonoma 14.7.5, Sequoia 15.4
iOS 18.4
iPadOS 17.7.6, 18.4
tvOS 18.4
visionOS 2.4

CVE-2025-24132 was resolved in Apple's AirPlay audio SDK 2.7.1, Airplay video SDK 3.6.0.126, and CarPlay Communication Plug-in R18.1 updates.

How do I find potentially vulnerable Apple devices with runZero? #

Vulnerable devices can be found by navigating to the Asset Inventory and using the following query:

hw:="apple%" AND protocol:airplay AND (
    (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR
    (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR
    ((os:="apple tvos" OR os:="apple audioos") AND osversion:<"18.4") OR
    (os:="apple ios" AND osversion:<"18.4") OR
    (os:="apple visionos" AND osversion:<"2.4")
  )

How do I find potentially vulnerable third-party devices with runZero? #

Vulnerable devices can be found by navigating to the Services Inventory and using the following query:

_asset.protocol:airplay AND protocol:airplay AND not hw:Apple