AirPlay access control bypass allowing unauthenticated commands without pairing
CVE-2025-24271 is an access control flaw in Apple AirPlay. According to Apple, an unauthenticated user on the same network as a signed-in Mac could send AirPlay commands to the device without completing pairing. The issue was addressed with improved access restrictions in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, iOS 18.4, iPadOS 18.4, iPadOS 17.7.6, tvOS 18.4, and visionOS 2.4. Third-party reporting on the AirBorne vulnerability set characterizes this CVE as an ACL/access-control weakness in AirPlay that removes the expected pairing barrier for command delivery from a local-network attacker.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept exploit for CVE-2025-24271, a vulnerability affecting Apple AirPlay on various Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS). The main script, 'CVE-2025-24271.py', performs mDNS (Bonjour) discovery to locate AirPlay devices on the local network using the zeroconf library. For each discovered device, it sends a crafted HTTP POST request to the '/play' endpoint, referencing a malicious media file hosted at 'http://attacker.local/evil.mov'. The exploit demonstrates the ability to interact with and potentially exploit AirPlay devices by sending unauthorized playback requests. The README provides affected OS versions and a brief description of the vulnerability. The exploit is a network-based POC and does not include a weaponized or customizable payload.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An access control issue allowing an unauthenticated user on the same network to send AirPlay commands to a signed-in Mac without pairing (as referenced in Apple Vision Pro security notes).
An AirPlay access control list (ACL) weakness allowing same-network attackers to send AirPlay commands to a signed-in Mac without pairing.
A macOS AirPlay-related one-click remote code execution vulnerability under certain network settings.
An access-control-list (ACL) weakness in AirPlay that allows unauthenticated command sending without pairing; described as chainable with another flaw to achieve one-click remote code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.