A zero-click vulnerability affecting Apple CarPlay, designated as CVE-2025-24132, remains largely unpatched in most vehicles nearly half a year after a fix was released by Apple.
The vulnerability allows attackers to gain control over CarPlay systems, often without requiring any user interaction or authentication. Apple issued a patch for the vulnerability in the CarPlay AirPlay SDK on March 31, 2025, and coordinated the disclosure with Oligo Security. Despite the availability of the patch, a significant number of vendors and no car manufacturers have implemented the fix as of September 11, 2025.
Exploitation of CVE-2025-24132 can occur via a USB connection or over the Internet. Attackers can exploit vulnerable systems if they are within range and the vehicle’s network password is easily guessed. Alternatively, they can use Bluetooth, particularly in vehicles that utilize “Just Works” Bluetooth pairing, which allows devices to pair without restrictions. While some Bluetooth configurations may require a PIN, many systems do not, making the exploit zero-click in many scenarios.
Uri Katz, a researcher at Oligo Security, noted that a significant number of systems rely on Just Works Bluetooth pairing and that many older and third-party head units use default or predictable Wi-Fi passwords. He added that newer vehicles are improving in this regard, but legacy systems often ship with minimal pairing protections, posing a security risk.
The attack leverages Apple’s iAP2 protocol, which establishes a session between a mobile device and an in-vehicle infotainment (IVI) system. The iAP2 protocol authenticates only the external device, meaning the IVI system does not verify the authenticity of the connecting device. This allows an attacker to masquerade as an iPhone, obtain network credentials, and issue commands to the vehicle as if it were a legitimate Apple device.
The vulnerability is related to app termination within the AirPlay software development kit (SDK) and allows for remote code execution (RCE) with root privileges. This level of access could enable attackers to spy on drivers’ locations, eavesdrop on conversations, or distract them while driving. However, the researchers could not confirm whether the vulnerability could be used to access safety-critical systems within the vehicle.
A major concern highlighted by the researchers is the slow adoption of the patch by the automotive industry. Despite Apple releasing the fix in March and coordinating disclosure in April, only a few vendors have implemented the fix, and no car manufacturers have done so. The lack of standardization in the automotive industry and the slow update cycles contribute to this issue.
Katz explained that unlike smartphones that update overnight, many in-vehicle systems still require manual installs by users or dealership visits. Even with the availability of the patched SDK, automakers must adapt, test, and validate it across their platforms, which requires coordination with suppliers and middleware providers. He suggests wider adoption of over-the-air (OTA) update pipelines and smoother coordination in supply chains as potential solutions.
Katz emphasizes that the technology for OTA updates exists, but the organizational alignment within the automotive industry has not caught up. This lack of coordination and standardization makes it difficult to quickly address and patch vulnerabilities in vehicle systems, leaving them exposed to potential attacks.
