CVE-2025-24132

MEDIUM

AirPlay Audio and Video SDK < 2.7.1 and < 3.6.0.126 - Denial of Service via Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2025-24132. PoCs published by ekomsSavior, XiaomingX, Feralthedogg.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-24132, targeting a heap overflow in Apple's AirPlay service on port 7000. It includes multiple payload options (bash, Python, PowerShell) and supports persistence via .bashrc injection.

Description

The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1 and AirPlay video SDK 3.6.0.126. An attacker on the local network may cause an unexpected app termination.

Exploits (6)

github WORKING POC 152 stars
by ekomsSavior · pythonpoc
https://github.com/ekomsSavior/AirBorne-PoC

This repository contains a functional exploit PoC for CVE-2025-24132, targeting a heap overflow in Apple's AirPlay service on port 7000. It includes multiple payload options (bash, Python, PowerShell) and supports persistence via .bashrc injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apple AirPlay service
No auth needed
Prerequisites: Network access to target on port 7000 · Python 3 with scapy library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-24132

This repository contains a functional PoC for CVE-2025-24132, which exploits a buffer overflow in the AES CTR encryption handling of AirPlay/MFi devices. The exploit triggers a crash by sending a malformed SETUP packet with an oversized encryption key, demonstrating the vulnerability in devices like CarPlay units.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: AirPlay/MFi devices (e.g., CarPlay units)
No auth needed
Prerequisites: Network access to the target device · Device must be running a vulnerable version of the AirPlay/MFi firmware
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Feralthedogg · poc
https://github.com/Feralthedogg/CVE-2025-24132-Scanner

This is a functional PoC scanner for CVE-2025-24132, which tests AirPlay-capable devices for a zero-click HTTP RCE vulnerability via mDNS discovery and an HTTP POST request with a reverse shell payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AirPlay-capable devices (specific version not specified)
No auth needed
Prerequisites: Python 3.7+ · PyQt5 · zeroconf package · network access to AirPlay devices
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-24132

The repository contains a functional PoC for CVE-2025-24132, which exploits a buffer overflow in the AES CTR encryption handling within AirPlay SDK-based devices. The exploit triggers a crash by sending a malformed SETUP packet with an oversized encryption key, demonstrating the vulnerability in devices with MFi code paths.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: AirPlay SDK-based devices (e.g., CarPlay units)
No auth needed
Prerequisites: Network access to the target device · Device must have MFi code paths · RTSP service accessible on port 5000 or 7000
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec WORKING POC 1 stars
by TheGamingGallifreyan · poc
https://github.com/TheGamingGallifreyan/LiberationPlay-CVE-2025-24132-AirBourne-POC

This repository contains a functional exploit PoC for CVE-2025-24132, targeting a buffer overflow in the AES CTR encryption handling within AirPlay's SETUP packet processing. The exploit demonstrates the vulnerability by causing a crash in vulnerable devices, particularly those without stack protections.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: AirPlay (CarPlay and other AirPlay-enabled devices)
No auth needed
Prerequisites: Physical access to the target device or network access to the AirPlay service · Device must not require PIN-based authentication for AirPlay pairing
devstral-2 · analyzed Mar 03, 2026 Full analysis →
nomisec WORKING POC
by TheGamingGallifreyan · poc
https://github.com/TheGamingGallifreyan/LiberationPlay-CVE-2025-24132-AirBourne-Crash-POC

This PoC exploits a buffer overflow in the AES CTR encryption handling of AirPlay/MFi devices (CVE-2025-24132) by sending a malformed SETUP packet with an oversized encryption key, causing a crash. The exploit targets vulnerable CarPlay/AirPlay units and requires no authentication.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: AirPlay/MFi devices (e.g., CarPlay head units)
No auth needed
Prerequisites: Network access to vulnerable device · Device must be MFi-enabled and unpatched
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0312
EPSS Percentile 86.1%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-119
Status published
Products (5)
Apple/AirPlay audio SDK < 2.7.1
Apple/AirPlay video SDK < 2.7.1
apple/airplay_audio_software_development_kit < 2.7.1
apple/airplay_video_software_development_kit < 3.6.0.126
apple/carplay_communication_plug-in < r18.1
Published Apr 30, 2025
Tracked Since Feb 18, 2026