Apple CarPlay Vulnerability Allows Remote Code Execution to Gain Root Access

A newly disclosed vulnerability in Apple’s CarPlay ecosystem enables remote code execution with root privileges, posing a serious risk to connected vehicles.

Discovered by the Oligo Security Research team and tracked as CVE-2025-24132, the flaw resides within the AirPlay protocol implementation used by CarPlay systems.

Researchers presented their findings at DefCon 33 during the Pwn My Ride talk, illustrating how attackers can chain Bluetooth and Wi-Fi protocols to compromise in-car multimedia units without any user interaction.

Wireless CarPlay uses two layered protocols: iAP2 over Bluetooth to negotiate network credentials, and AirPlay over Wi-Fi to mirror the iPhone screen.

An attacker needs only a compatible Bluetooth radio to perform “Just Works” pairing—commonly enabled by default on many head units—to impersonate an iPhone.

Once paired, the attacker requests the CarPlay device’s SSID and password, connects to its private Wi-Fi network, and triggers the AirPlay stack buffer overflow in the vulnerable SDK versions. This chain yields remote code execution at the system’s highest privilege level.

The vulnerability affects:

• AirPlay Audio SDK versions before 2.7.1
• AirPlay Video SDK versions before 3.6.0.126
• CarPlay Communication Plug-in versions before R18.1 and R18.1 itself

Although Apple released patched SDKs on April 29, 2025, most automotive head-unit vendors have yet to integrate these fixes.

Vehicle firmware update cycles are notoriously slow, often requiring dealership intervention or USB installs. As a result, millions of vehicles remain exposed long after a patch exists.

Researchers withheld exploit details to allow vendors more time to remediate. They demonstrated successful exploitation on multiple CarPlay implementations, achieving root-level control over the head unit.

The team emphasized that while wired CarPlay demands physical access, wireless CarPlay is vulnerable even when devices are not discoverable by default—an attacker simply needs to pair during a brief discoverable window.

The long tail of exposure is worsened by fragmented software supply chains. Vehicle manufacturers, head-unit suppliers, middleware providers, and aftermarket integrators must each adopt patched SDKs, test for compatibility, and deploy updates.

High-end models with over-the-air update support may receive patches swiftly, but many models will lag behind, exposing drivers to remote takeover risks months or even years after patch release.

Organizations relying on CarPlay should immediately audit their head-unit firmware versions and enforce an update policy.

Automakers and suppliers are urged to prioritize integration of the patched SDKs and streamline their validation processes.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!