Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Apple CarPlay vulnerability leaves vehicles exposed due to slow patch adoption

CVE-2025-24132 allows attackers to hijack infotainment systems via USB, Wi-Fi, or Bluetooth pairing, with patches still largely unadopted by automakers.

byKerem Gülen
September 12, 2025
in Cybersecurity

On April 29, 2025, Oligo Security disclosed a buffer overflow vulnerability in Apple CarPlay, identified as CVE-2025-24132.

The vulnerability has a CVSS score of 6.5 (medium) and allows unauthorized access to CarPlay systems, often without requiring user interaction or authentication.

How the CarPlay vulnerability works

An attacker can exploit CVE-2025-24132 to control an Apple CarPlay system through a USB connection, the internet, or “Just Works” Bluetooth pairing. The “Just Works” method is a significant concern because it allows devices to connect without restriction, creating an opening for unauthorized access.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The exploit targets Apple’s iAP2 protocol, which manages the connection between a mobile device and a vehicle’s infotainment (IVI) system. The protocol only authenticates the IVI system, not the external device connecting to it. This one-way authentication allows an attacker to impersonate an iPhone, intercept network credentials, and take control of the vehicle’s network to issue commands.

Uri Katz, an Oligo Security researcher, noted, “We don’t have exact percentages, because it varies by vendor and model, but our testing found that a significant number of systems rely on Just Works Bluetooth pairing, and many older and third-party head units use default or predictable Wi-Fi passwords.”

Although technical details are limited, Apple’s security update from April 2025 suggests the issue relates to app termination. The vulnerability is located in the AirPlay software development kit (SDK) and enables remote code execution (RCE) with root privileges.

Potential risks for drivers

Gaining root-level RCE gives an attacker extensive control over the infotainment system. This access could allow them to spy on a driver’s location, eavesdrop on conversations, or disrupt the driver while the vehicle is in operation. Oligo Security’s research did not confirm if this access could extend to a vehicle’s safety-critical systems.

Slow industry response leaves systems vulnerable

Apple released a patch for CVE-2025-24132 on March 31, 2025, and coordinated the public disclosure with Oligo Security for April 29, 2025. Despite the patch being available, adoption by the automotive industry has been slow.

As of mid-September 2025, four and a half months after the fix was released, few vendors have implemented it. Notably, no car manufacturers have updated their systems, leaving many vehicles exposed to the vulnerability.

Challenges in automotive software updates

The slow patch deployment is caused by several factors within the automotive industry, including a lack of standardization, slow update cycles, and the need for manual installations at a dealership.

“Unlike phones that update overnight, many in‑vehicle systems still require manual installs by users or dealership visits,” Katz stated. “Even when Apple shipped the patched SDK, automakers must adapt, test, and validate it across their platforms, requiring coordination with suppliers and middleware providers.”

To improve security, Oligo Security recommends wider adoption of over-the-air (OTA) update pipelines and better coordination throughout the supply chain.

Katz added that while “the technology exists, but the organizational alignment hasn’t caught up.” Streamlining these processes is necessary to deploy security patches more quickly.


Featured image credit

Tags: Apple CarPlayCVE-2025-24132vulnerability

Related Posts

WestJet cyberattack: 1.2m passengers’ data stolen

WestJet cyberattack: 1.2m passengers’ data stolen

October 2, 2025
Wiz: AI vibe coding leads to insecure authentication

Wiz: AI vibe coding leads to insecure authentication

September 29, 2025
DHS uses AI to detect AI-generated child abuse material

DHS uses AI to detect AI-generated child abuse material

September 29, 2025
Salesforce Agentforce hit by Noma “ForcedLeak” exploit

Salesforce Agentforce hit by Noma “ForcedLeak” exploit

September 26, 2025
Co-op Group reports £75m loss after April cyber-attack

Co-op Group reports £75m loss after April cyber-attack

September 25, 2025
Taiwan industrial production up 14.4% in August thanks to AI chips

Taiwan industrial production up 14.4% in August thanks to AI chips

September 25, 2025

LATEST NEWS

Z.AI GLM-4.6 boosts context window to 200K tokens

OpenAI releases Sora 2, iOS app with real-world inserts

Bitrig: SwiftUI apps from voice using Apple Intelligence

Bengio warns hyper-AI preservation goals threaten humanity

Apple TV 4K to feature A17 Pro chip and Apple Intelligence

Instagram tests Reels-first home tab in India

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.