CyberHappenings logo
โ˜ฐ

Unpatched Apple CarPlay RCE Vulnerability in Most Vehicles

First reported
Last updated
๐Ÿ“ฐ 1 unique sources, 1 articles

Summary

Hide โ–ฒ

A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles nearly half a year after a fix was released. The flaw allows attackers to exploit CarPlay via USB, Internet, or Bluetooth connections without user interaction. The vulnerability affects vehicles that use the Apple iAP2 protocol and have minimal pairing protections. The automotive industry's slow update cycles and lack of standardization contribute to the delayed patching. The issue, rated as medium severity (6.5 CVSS), enables attackers to gain root-level access, potentially leading to location tracking, eavesdropping, or driver distraction. The exact impact on vehicle safety-critical systems is unknown.

Timeline

  1. 11.09.2025 22:30 ๐Ÿ“ฐ 1 articles ยท โฑ 1d ago

    Apple CarPlay RCE Vulnerability Exploitable via USB, Internet, or Bluetooth

    A zero-click remote code execution (RCE) vulnerability in Apple CarPlay, identified as CVE-2025-24132, remains unpatched in most vehicles. The flaw allows attackers to exploit CarPlay via USB, Internet, or Bluetooth connections without user interaction. The vulnerability affects vehicles that use the Apple iAP2 protocol and have minimal pairing protections. The automotive industry's slow update cycles and lack of standardization contribute to the delayed patching.

    Show sources

Information Snippets