On April 29, 2025, Oligo Security disclosed a buffer overflow vulnerability in Apple CarPlay, identified as CVE-2025-24132.
The vulnerability has a CVSS score of 6.5 (medium) and allows unauthorized access to CarPlay systems, often without requiring user interaction or authentication.
How the CarPlay vulnerability works
An attacker can exploit CVE-2025-24132 to control an Apple CarPlay system through a USB connection, the internet, or “Just Works” Bluetooth pairing. The “Just Works” method is a significant concern because it allows devices to connect without restriction, creating an opening for unauthorized access.
The exploit targets Apple’s iAP2 protocol, which manages the connection between a mobile device and a vehicle’s infotainment (IVI) system. The protocol only authenticates the IVI system, not the external device connecting to it. This one-way authentication allows an attacker to impersonate an iPhone, intercept network credentials, and take control of the vehicle’s network to issue commands.
Uri Katz, an Oligo Security researcher, noted, “We don’t have exact percentages, because it varies by vendor and model, but our testing found that a significant number of systems rely on Just Works Bluetooth pairing, and many older and third-party head units use default or predictable Wi-Fi passwords.”
Although technical details are limited, Apple’s security update from April 2025 suggests the issue relates to app termination. The vulnerability is located in the AirPlay software development kit (SDK) and enables remote code execution (RCE) with root privileges.
Potential risks for drivers
Gaining root-level RCE gives an attacker extensive control over the infotainment system. This access could allow them to spy on a driver’s location, eavesdrop on conversations, or disrupt the driver while the vehicle is in operation. Oligo Security’s research did not confirm if this access could extend to a vehicle’s safety-critical systems.
Slow industry response leaves systems vulnerable
Apple released a patch for CVE-2025-24132 on March 31, 2025, and coordinated the public disclosure with Oligo Security for April 29, 2025. Despite the patch being available, adoption by the automotive industry has been slow.
As of mid-September 2025, four and a half months after the fix was released, few vendors have implemented it. Notably, no car manufacturers have updated their systems, leaving many vehicles exposed to the vulnerability.
Challenges in automotive software updates
The slow patch deployment is caused by several factors within the automotive industry, including a lack of standardization, slow update cycles, and the need for manual installations at a dealership.
“Unlike phones that update overnight, many in‑vehicle systems still require manual installs by users or dealership visits,” Katz stated. “Even when Apple shipped the patched SDK, automakers must adapt, test, and validate it across their platforms, requiring coordination with suppliers and middleware providers.”
To improve security, Oligo Security recommends wider adoption of over-the-air (OTA) update pipelines and better coordination throughout the supply chain.
Katz added that while “the technology exists, but the organizational alignment hasn’t caught up.” Streamlining these processes is necessary to deploy security patches more quickly.
