Apple CarPlay RCE Exploit (CVE-2025-24132) Remains Unpatched in Most Vehicles
Summary
Hide β²
Show βΌ
A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles nearly half a year after a fix was released. This buffer overflow vulnerability can grant attackers unauthorized control over CarPlay systems. The exploit requires minimal user interaction and can be executed via USB, Internet, or Bluetooth connections. The issue affects numerous models and vendors, with significant implications for vehicle security. The vulnerability was disclosed on April 29, 2025, by Oligo Security. Despite the availability of patches, few vendors and no car manufacturers have implemented the fix. This delay is due to the complexity of updating in-vehicle systems, which often require manual installations or dealership visits.
Timeline
-
11.09.2025 22:30 π° 1 articles Β· β± 5d ago
Apple CarPlay RCE Exploit (CVE-2025-24132) Remains Unpatched in Most Vehicles
A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles nearly half a year after a fix was released. The exploit can be executed via USB, Internet, or Bluetooth connections, and allows for root-level RCE, enabling various malicious activities. The delay in patching is due to the complexity of updating in-vehicle systems.
Show sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
Information Snippets
-
CVE-2025-24132 is a buffer overflow vulnerability in Apple CarPlay that allows for zero-click remote code execution.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The vulnerability was disclosed on April 29, 2025, by Oligo Security.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The exploit can be executed via USB, Internet, or Bluetooth connections.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The vulnerability has a CVSS severity score of 6.5, classified as 'medium'.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
Patches for the vulnerability were released on March 31, 2025, but few vendors and no car manufacturers have implemented them.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The exploit leverages the iAP2 protocol, which only authenticates in one direction.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The vulnerability allows for root-level RCE, enabling various malicious activities such as spying on drivers' locations and eavesdropping on conversations.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
-
The delay in patching is due to the complexity of updating in-vehicle systems, which often require manual installations or dealership visits.
First reported: 11.09.2025 22:30π° 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars β www.darkreading.com β 11.09.2025 22:30
Similar Happenings
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Apple patches Image I/O zero-day exploited in targeted attacks
Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.