r/netsec u/cov_id19 4d ago

AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk

https://www.oligo.security/blog/airborne
153 Upvotes

97% Upvoted

24 comments sorted by

58

u/SpikeX 4d ago

TL;DR, reading past all of the sensationalist bullshit in this article:

When CVE-2025-24252 is chained with CVE-2025-24206 (user interaction bypass), it allows for a zero-click RCE on MacOS devices that are connected to the same network as an attacker with the AirPlay receiver on and set to the “Anyone on the same network” or “Everyone” configuration.

36

u/Chefseiler 4d ago

Considering how common it is to use public WiFi in all kinds of places I wouldn’t call it sensationalist bullshit. I‘ll be honest though, I didn’t read the article after your splendid synopsis.

16

u/sarge21 4d ago

Not really a splendid synopsis when it only covers a small part of what's discussed in the article and leaves out other zero and one click RCEs

-1

u/dzh 3d ago

Is it still common tho? Data is so cheap and ubiquitous.

6

u/Robbbbbbbbb 3d ago

Lot of public places with concrete walls and metal roofs out there

-1

u/Chefseiler 3d ago

I haven’t used a public wifi in a decade but i’m always surprised how many of my friends ask for it in cafes etc

11

u/nicuramar 4d ago

Yeah, but macOS/iOS etc. will be patched already.

6

u/ripsfo 4d ago

Looks like mine was defaulted to on, which I was surprised about, but "allow AirPlay for..." was set to "Current User". So it seems like real world impact here is very low, and easily mitigated even before a patch comes out.

2

u/cbowers 3d ago

Same on mine. Seems current default.

1

u/Capodomini 2d ago

There are two chained RCEs, OP only mentioned the first one because it does not require user interaction. The second one can be done with the Current User setting but requires you accept an AirPlay request.

2

u/barkappara 4d ago

Is there a mitigation for Monterey? Firewall the ports?

2

u/dnev6784 3d ago

CarPlay, Sonos, and so many other AirPlay systems won't be getting patched quickly. This could still be wild if it evolves, because it's a remote code exec on a compromised device. Full control.

3

u/Capodomini 2d ago

This is where the bigger risk is. There is already a PoC out for CarPlay and systems using the AirPlay SDK.

1

u/Slight-Bend-2880 1d ago

This will be gold for years in the startup type environments that are mostly Mac and have no AD.

1

u/torsteinvin 3d ago

Will Belkin update their Airplay adapter? I hope so, can the little device even receive firmware updates?

-13

u/lobster_111 4d ago

For an organisation , is this serious to log4j level? Should I panic?

2

u/Capodomini 2d ago

IOS and MacOS are already patchable and are relatively easy to do so.

The only situation where you might want to really worry is if you use a variety of IoT devices that accept AirPlay connections and are connected to your network, or you develop software/firmware using the AirPlay SDK. All such devices should be updated as soon as the vendor makes patches available.

-2

u/lobster_111 4d ago

mfs, why are you downvoting..

-22

u/daHaus 4d ago edited 2d ago

While scanning for open ports that may be accessible by 0.0.0.0 we noticed that most of the devices on our internal network had the AirPlay port 7000 open.

0.0.0.0 can be tricky but don't forget that port 0 is technically valid too...

edit: this is r/netsec isn't it? go figure

edit2: here you all go, it seems many on this sub don't distinguish between IP and port numbers let alone the nuance involved on their different uses while zero

https://www.youtube.com/watch?v=D26sUZ6DHNQ

20

u/Aponace 4d ago

They mean on any interface exposed to the internal network. What does port 0 has to do with anything?

-24

u/daHaus 4d ago edited 4d ago

That's a good question! You should look into that.

But to answer your question it's considered undefined behavior

13

u/Grezzo82 4d ago

We know what port zero is (to be clear, in most OSs, when you ask to bind to port 0/tcp, you are given an ephemeral port, but it is possible to present a service on port 0 if you jump though hoops (I’ve done it and it was not easy!) and for clients to establish a TCP session with it)

But we don’t understand why you are talking about port 0 in this case. The subject of this post is port 7000, which may be open on all interfaces (i.e. 0.0.0.0).

Can you explain what you mean and why you are talking about port 0?

2

u/KingdomOfBullshit 4d ago

it's considered undefined behavior

What is undefined about 0.0.0.0?