A newly disclosed vulnerability in Apple’s CarPlay ecosystem enables remote code execution with root privileges, posing a serious risk to connected vehicles.
Discovered by the Oligo Security Research team and tracked as CVE-2025-24132, the flaw resides within the AirPlay protocol implementation used by CarPlay systems.
| CVE ID | Affected Components | Versions Impacted |
| CVE-2025-24132 | AirPlay Audio SDK | < 2.7.1 |
| AirPlay Video SDK | < 3.6.0.126 | |
| CarPlay Communication Plug-in | < R18.1, R18.1 |
Researchers presented their findings at DefCon 33 during the Pwn My Ride talk, illustrating how attackers can chain Bluetooth and Wi-Fi protocols to compromise in-car multimedia units without any user interaction.
Wireless CarPlay uses two layered protocols: iAP2 over Bluetooth to negotiate network credentials, and AirPlay over Wi-Fi to mirror the iPhone screen.
An attacker needs only a compatible Bluetooth radio to perform “Just Works” pairing—commonly enabled by default on many head units—to impersonate an iPhone.
Once paired, the attacker requests the CarPlay device’s SSID and password, connects to its private Wi-Fi network, and triggers the AirPlay stack buffer overflow in the vulnerable SDK versions. This chain yields remote code execution at the system’s highest privilege level.
The vulnerability affects:
- AirPlay Audio SDK versions before 2.7.1
- AirPlay Video SDK versions before 3.6.0.126
- CarPlay Communication Plug-in versions before R18.1 and R18.1 itself
Although Apple released patched SDKs on April 29, 2025, most automotive head-unit vendors have yet to integrate these fixes.
Vehicle firmware update cycles are notoriously slow, often requiring dealership intervention or USB installs. As a result, millions of vehicles remain exposed long after a patch exists.
Researchers withheld exploit details to allow vendors more time to remediate. They demonstrated successful exploitation on multiple CarPlay implementations, achieving root-level control over the head unit.
The team emphasized that while wired CarPlay demands physical access, wireless CarPlay is vulnerable even when devices are not discoverable by default—an attacker simply needs to pair during a brief discoverable window.
The long tail of exposure is worsened by fragmented software supply chains. Vehicle manufacturers, head-unit suppliers, middleware providers, and aftermarket integrators must each adopt patched SDKs, test for compatibility, and deploy updates.
High-end models with over-the-air update support may receive patches swiftly, but many models will lag behind, exposing drivers to remote takeover risks months or even years after patch release.
Organizations relying on CarPlay should immediately audit their head-unit firmware versions and enforce an update policy.
Automakers and suppliers are urged to prioritize integration of the patched SDKs and streamline their validation processes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
