Apple CarPlay zero-click buffer overflow remote code execution flaw (CVE-2025-24132)
Vulnerability
Summary
Hide ▲
Show ▼
A zero-click Apple CarPlay buffer overflow continues to expose vehicles to root-privilege RCE risk, even though fixes have been available for months. The flaw is tracked as CVE-2025-24132 and sits in the AirPlay SDK, where it can be reached without user interaction or authentication under most conditions. Four and a half months after disclosure, only a small number of vendors and no car manufacturers had reportedly applied the fix.
Timeline
-
11.09.2025 22:30 1 articles · 8mo ago
Apple releases fix for CVE-2025-24132
Mitigation Patch UpdateApple released fixes for CVE-2025-24132 in the AirPlay software development kit (SDK), closing a zero-click Apple CarPlay buffer overflow that could enable root-privilege remote code execution.
Show sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars — www.darkreading.com — 11.09.2025 22:30
-
11.09.2025 22:30 1 articles · 8mo ago
Oligo Security discloses CVE-2025-24132
Initial DisclosureOligo Security disclosed CVE-2025-24132, a zero-click Apple CarPlay buffer overflow that could be reached through USB, Internet, or Bluetooth access paths and could lead to remote code execution with root privileges.
Show sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars — www.darkreading.com — 11.09.2025 22:30
-
11.09.2025 22:30 2 articles · 8mo ago
Most CarPlay systems remain unpatched by September 2025
Victim Impact UpdateAs of September 11, 2025, only a small number of vendors and no car manufacturers had implemented the CVE-2025-24132 fix, leaving Apple CarPlay-enabled vehicle systems exposed despite patch availability.
Show sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars — www.darkreading.com — 11.09.2025 22:30
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars — www.darkreading.com — 11.09.2025 22:30