Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks

Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Information:

AirPlay is a system developed by Apple that allows users to wirelessly transfer multimedia data seamlessly between supported devices. This technology enables you to stream content from your Apple devices to speakers, TVs, or other AirPlay-compatible devices without the need for cables. Additionally, AirPlay supports the transmission of various types of data, including images, audio, and video, making content sharing easier and more convenient than ever

A set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK) exposed unpatched third-party and Apple devices to various attacks, including remote code execution.

  According to cybersecurity company Oligo Security security disclosed 23 security vulnerabilities to Apple, which released security updates to address these vulnerabilities (collectively known as "AirBorne") on March 31

  While the AirBorne vulnerabilities can only be exploited by attackers on the same network via wireless networks or peer-to-peer connections, they allow taking over vulnerable devices and using the access as a launchpad to compromise other AirPlay-enabled devices on the same network.

  Oligo's security researchers said they were able to demonstrate that attackers can use two of the security flaws (CVE-2025-24252 and CVE-2025-24132) to create wormable zero-click RCE exploits.

Incident :

Additionally, the CVE-2025-24206 user interaction bypass flaw enables a threat actor to bypass "Accept" click requirements on AirPlay requests and can be chained with other flaws to launch zero-click attacks.

  This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more," Oligo warned.

Solution :

  Mitigation steps for AirPlay security risks are as follows:

- Update your devices: Install the latest software updates to protect against security vulnerabilities.

  • AirPlay audio SDK: version 2.7.1
  • AirPlay video SDK: version 3.6.0.126
  • CarPlay Communication Plug‑in: R18.1

- Disable AirPlay Receiver: If you are not using the AirPlay receiver, fully disable it to improve security.

- Restrict AirPlay Access: Create firewall rules to limit AirPlay communication (port 7000 on Apple devices) to only trusted devices.

- Restrict AirPlay Settings: Change the “Allow AirPlay for” setting to “Current User.”

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

 

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-22457

3/4/2025

24/4/2025

Ivanti Connect Secure before version 22.7R2.6
Ivanti Policy Secure before version 22.7R1.4
Ivanti ZTA Gateways before version 22.8R2.2

remote unauthenticated attacker

9.0

A stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure , and Ivanti ZTA Gateways allows a remote unauthenticated attacker to achieve remote code execution.

Update to version
Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version22.7R1.5, and Ivanti ZTA Gateways before version22.8R2.2

https://app.opencve.io/cve/CVE-2025-22457
2

CVE-2020-35498

11/2/2021

23/4/2025

Open vSwitch, specifically versions from 2.5.0 to 2.11.5, and is particularly relevant to operating systems utilizing OVS, such as Debian, Fedora, Ubuntu, and Citrix Hypervisor.

denial of service attacks

7.5

A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

Update to Open vSwitch 2.11.6, 2.14.2 and newer

 https://app.opencve.io/cve/CVE-2020-35498
3

CVE-2024-7991

29/10/2024

25/4/2025

Autodesk AutoCAD, Autodesk AutoCAD LT, Autodesk AutoCAD Architecture, Autodesk AutoCAD Electrical, Autodesk AutoCAD Map 3D, Autodesk AutoCAD Mechanical, Autodesk AutoCAD MEP, Autodesk AutoCAD Plant 3D, Autodesk Civil 3D, Autodesk Advance Steel

Impacted Versions: 2025, 2024, 2023
Autodesk DWG TrueView

Impacted Versions: 2025, 2024

Out-of-Bounds Write

7.8

A maliciously crafted DWG file, when parsed through Autodesk AutoCAD and certain AutoCAD-based products, may force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.

Autodesk AutoCAD, Autodesk AutoCAD LT, Autodesk AutoCAD Architecture, Autodesk AutoCAD Electrical, Autodesk AutoCAD Map 3D, Autodesk AutoCAD Mechanical, Autodesk AutoCAD MEP, Autodesk AutoCAD Plant 3D, Autodesk Civil 3D, Autodesk Advance Steel
Mitigated Versions: 2025.1.1, 2024.1.7, 2023.1.7
Autodesk DWG TrueView
Mitigated Versions: 2025.1.1, 2024.1.7

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0021


 
 4

CVE-2024-21762

9/2/2024

24/4/2025

FortiOS Versions 6.0.0 to 7.4.2

FortiProxy version 1.0.0 to 7.4.2

Out-of-Bounds Write

9.6

A out-of-bounds write vulnerability in FortiOS and FortiProxy may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

Update to version or latest version

https://www.fortiguard.com/psirt/FG-IR-24-015
5

CVE-2025-31324

24/4/2025

25/4/2025

Visual Composer Framework 7.50

unauthenticated file

10.0

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system.

Update to version or latest version

https://nvd.nist.gov/vuln/detail/CVE-2025-31324

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

DragonForce expands ransomware model with white-label branding scheme

26/04/2025

Ransowmare

A group called DragonForce has been formed that targets ESXi, NAS, BSD and Windows system devices and demands ransom from all business sectors except those related to health care. This is the main rule of the group.

  The DragonForce group was formed to collect RaaS (ransomware as a service) users. The group provides tools to facilitate theft and ransom, such as the storage of stolen data, malware to expand the attack surface, and victim data to carry out the attack. DragonForce takes a 20% cut after the ransom is paid, as opposed to RaaS developers who typically take a 30% to 40%
  • Update systems and software: Regularly check for and install the latest security patches.
  • Deployed Antivirus.
  • Restrict internal network access: Minimize lateral movement by limiting access between systems.
  • Back up critical data regularly: Store backups separately from the main system to ensure recovery.
  • Train employees: Educate staff on recognizing phishing emails and avoiding unknown attachments.

Ref: https://securityaffairs.com/176662/apt/china-linked-apt-mustang-panda-upgrades-tools-in-its-arsenal.html

14 May 2025

Viewed 83 time

Engine by shopup.com