Unpatched Apple CarPlay RCE Vulnerability in Most Vehicles
Summary
Hide โฒ
Show โผ
A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles nearly half a year after a fix was released. The flaw allows attackers to exploit CarPlay via USB, Internet, or Bluetooth connections without user interaction. The vulnerability affects vehicles that use the Apple iAP2 protocol and have minimal pairing protections. The automotive industry's slow update cycles and lack of standardization contribute to the delayed patching. The issue, rated as medium severity (6.5 CVSS), enables attackers to gain root-level access, potentially leading to location tracking, eavesdropping, or driver distraction. The exact impact on vehicle safety-critical systems is unknown.
Timeline
-
11.09.2025 22:30 ๐ฐ 1 articles ยท โฑ 1d ago
Apple CarPlay RCE Vulnerability Exploitable via USB, Internet, or Bluetooth
A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles. The flaw allows attackers to exploit CarPlay via USB, Internet, or Bluetooth connections without user interaction. The vulnerability affects vehicles that use the Apple iAP2 protocol and have minimal pairing protections. The automotive industry's slow update cycles and lack of standardization contribute to the delayed patching.
Show sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
Information Snippets
-
The vulnerability, CVE-2025-24132, was disclosed on April 29, 2025, by Oligo Security.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
The flaw allows attackers to exploit CarPlay via USB, Internet, or Bluetooth connections.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
The vulnerability has a CVSS score of 6.5, classified as medium severity.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
Apple released a patch for the vulnerability on March 31, 2025.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
The vulnerability affects vehicles using the Apple iAP2 protocol.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
Many vehicles use 'Just Works' Bluetooth pairing, allowing unrestricted device pairing.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
The flaw enables attackers to gain root-level access to CarPlay.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30
-
The automotive industry's slow update cycles and lack of standardization hinder patching efforts.
First reported: 11.09.2025 22:30๐ฐ 1 source, 1 articleShow sources
- Apple CarPlay RCE Exploit Left Unaddressed in Most Cars โ www.darkreading.com โ 11.09.2025 22:30