New Apple zero-days go ‘AirBorne’

Security researchers have recently disclosed a group of 23 critical vulnerabilities in Apple’s AirPlay technology, collectively named “AirBorne.” These flaws could potentially be exploited by threat actors on the same wireless or peer-to-peer network to conduct zero-click or one-click RCE attacks, adversary-in-the-middle (AitM) attacks, and denial of service (DoS) attacks. They could also be leveraged to bypass access control lists and required user interaction to gain access to sensitive files.

The vulnerabilities stem from flaws in Apple’s implementation of the AirPlay protocol and Software Development Kit (SDK), which is used for streaming media between devices. They affect a broad range of Apple products, including iPhones, iPads, MacBooks, Apple TVs, and the Vision Pro headset. Apple also licenses the AirPlay SDK to third-party manufacturers who use it in a wide variety of devices—such as smart TVs, speakers, and CarPlay systems—which are also vulnerable.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

While Apple released security patches for its products on March 31, 2025, many third-party vendors have not yet followed suit. This delay in patching leaves countless devices potentially exposed, especially in environments like homes, offices, and public spaces where multiple devices share the same network.

Source: Bleeping Computer

Analysis

The AirBorne vulnerabilities present exactly the kind of opportunity a well-resourced spyware operator like NSO Group—the developers of Pegasus—would seek to exploit. Pegasus is known for leveraging zero-click vulnerabilities to silently infect mobile devices and gain full access to data, cameras, microphones, and communications.

In previous campaigns, Pegasus has taken advantage of flaws in messaging apps, telephony services, and even image rendering pipelines—essentially any vector that allows code execution without user interaction. The AirBorne flaws, offering remote code execution via Wi-Fi without the need for a click, align perfectly with Pegasus’s attack profile.

While Apple has acted quickly to patch its own devices, the fragmented update landscape among third-party AirPlay implementers may allow Pegasus or similar actors to continue leveraging these flaws in stealthy, high-impact surveillance operations. This underscores the persistent threat posed by advanced spyware and the need for rapid patch adoption across the entire device ecosystem.

This case also highlights how vulnerabilities in widely used wireless protocols can have cascading effects across ecosystems, particularly when third-party patching lags. Timely updates and good network hygiene are critical in defending against these types of increasingly sophisticated, low-interaction threats.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Apple’s operating systems. Field Effect MDR users are automatically notified if a vulnerable version of Apple software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

To reduce risk posed by the AirBorne vulnerabilities, Field Effect strongly encourages users to immediately update their Apple devices to the latest firmware versions. Users may also wish to disable AirPlay on devices where it’s not necessary and secure Wi-Fi networks with strong passwords to prevent unauthorized access.

For third-party products, users/organizations should check with manufacturers whose products use AirPlay for relevant security updates.

Related Articles

• Apple releases emergency patch to fix zero-day vulnerability exploited by Pegasus Spyware
• Apple's latest update patches two actively exploited zero-days
• Apple patches first zero-day vulnerability of 2024