Millions of AirPlay devices may be putting users at risk — and hackers don’t even need a password to break in.
A newly discovered set of flaws, dubbed AirBorne, exposes Apple’s AirPlay and CarPlay technology to attacks from hackers on the same Wi-Fi network. According to cybersecurity firm Oligo, the vulnerabilities could allow attackers to hijack third-party smart speakers, TVs, set-top boxes, and other AirPlay-enabled gadgets.
AirPlay is Apple’s wireless streaming technology that lets users send video, audio, and other content between devices on the same network, while CarPlay connects an iPhone to a car’s infotainment system for navigation, music, and communication.
Both systems are widely used across Apple’s ecosystem and in millions of third-party products.
AirPlay’s open design made it vulnerable
Oligo revealed the flaws in a detailed report. The firm worked with Apple to patch its own products, but millions of third-party devices are likely still exposed.
Researchers demonstrated that two of the vulnerabilities, CVE-2025-24252 and CVE-2025-24132, can be used to create wormable, zero-click exploits. In other words, attackers could hijack certain AirPlay-enabled devices without needing any interaction from the user.
Compromised devices could be weaponized for serious attacks like espionage, ransomware delivery, supply-chain infiltration, and surveillance. In some cases, attackers could even hijack the microphone of a smart speaker to eavesdrop on conversations or manipulate media playback to cause distractions.
The vulnerabilities stem from AirPlay’s open-access design, which was originally built for seamless device pairing over Wi-Fi. Oligo researchers found that AirPlay servers often exposed commands without sufficient access controls, leaving devices vulnerable to remote takeover.
Public Wi-Fi risks are real but limited
Apple patched its own devices through recent updates, but it has no control over the update process for third-party manufacturers. Oligo warns that many third-party devices, especially older ones, may never receive fixes, leaving them permanently vulnerable.
Although an attacker must be on the same Wi-Fi network to exploit AirBorne flaws, public Wi-Fi networks present an obvious danger. Airports, hotels, cafes, and other crowded locations offer ideal environments for attackers to hijack vulnerable devices.
Still, people rarely bring smart home devices into these spaces, limiting some of the practical exposure.
Some CarPlay-enabled devices could also be vulnerable. If a CarPlay device uses a default, predictable, or weak Wi-Fi password, attackers nearby could gain access and execute a remote code exploit.
Additionally, some vendors exchange Wi-Fi credentials over Bluetooth using the IAP2 protocol, meaning an attacker could intercept the process by watching and entering the PIN during pairing.
Even non-wireless CarPlay systems aren’t immune, as vulnerabilities could be exploited via physical USB connections. Successful attacks could allow eavesdropping on conversations inside the vehicle, tracking its location, or distracting drivers through manipulated media playback.
How to protect your AirPlay devices
For users, the best step is to install any available updates for third-party AirPlay devices as soon as they are released. It’s also safer to keep these devices on secured home networks and avoid connecting them to public Wi-Fi, where hacking risks are higher.
And, securing your own Wi-Fi network closes nearly every attack vector exposed by “Airborne.”
Users can disable AirPlay features on devices they don’t regularly use to reduce their exposure. In some cases, replacing older smart home products that no longer receive updates may be the best option for maintaining security.
