Wormable Zero-Click RCE in AirPlay Impacts Billions of Apple and IoT Devices
Black Hat USA 2025 · Day 1 · Briefings
"Airborne" is a collection of 23 vulnerabilities — 17 assigned CVEs — in Apple's AirPlay protocol and the AirPlay SDK used by third-party IoT device manufacturers. The research produced the first-ever zero-click, wormable remote code execution on macOS, alongside unauthenticated RCE on Bose smart speakers and Pioneer in-car multimedia systems. More than 200,000 AirPlay-enabled devices are directly internet-exposed; billions more are reachable over local networks, Bluetooth, or browser-based access to port 7000. ---
AI review
Twenty-three vulnerabilities across Apple's AirPlay protocol and third-party SDK, including the first-ever zero-click wormable RCE on macOS, root on Bose speakers, root on Pioneer in-car systems, and 200,000+ directly internet-exposed devices. This is what Black Hat is for. The UAF chain with heap spray, the remote-control flag auth bypass, and the SDK stack overflow are all clean primitives that will be studied for years.