Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Apple CarPlay vulnerability leaves vehicles exposed due to slow patch adoption

CVE-2025-24132 allows attackers to hijack infotainment systems via USB, Wi-Fi, or Bluetooth pairing, with patches still largely unadopted by automakers.

byKerem Gülen
September 12, 2025
in Cybersecurity

On April 29, 2025, Oligo Security disclosed a buffer overflow vulnerability in Apple CarPlay, identified as CVE-2025-24132.

The vulnerability has a CVSS score of 6.5 (medium) and allows unauthorized access to CarPlay systems, often without requiring user interaction or authentication.

How the CarPlay vulnerability works

An attacker can exploit CVE-2025-24132 to control an Apple CarPlay system through a USB connection, the internet, or “Just Works” Bluetooth pairing. The “Just Works” method is a significant concern because it allows devices to connect without restriction, creating an opening for unauthorized access.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The exploit targets Apple’s iAP2 protocol, which manages the connection between a mobile device and a vehicle’s infotainment (IVI) system. The protocol only authenticates the IVI system, not the external device connecting to it. This one-way authentication allows an attacker to impersonate an iPhone, intercept network credentials, and take control of the vehicle’s network to issue commands.

Uri Katz, an Oligo Security researcher, noted, “We don’t have exact percentages, because it varies by vendor and model, but our testing found that a significant number of systems rely on Just Works Bluetooth pairing, and many older and third-party head units use default or predictable Wi-Fi passwords.”

Although technical details are limited, Apple’s security update from April 2025 suggests the issue relates to app termination. The vulnerability is located in the AirPlay software development kit (SDK) and enables remote code execution (RCE) with root privileges.

Potential risks for drivers

Gaining root-level RCE gives an attacker extensive control over the infotainment system. This access could allow them to spy on a driver’s location, eavesdrop on conversations, or disrupt the driver while the vehicle is in operation. Oligo Security’s research did not confirm if this access could extend to a vehicle’s safety-critical systems.

Slow industry response leaves systems vulnerable

Apple released a patch for CVE-2025-24132 on March 31, 2025, and coordinated the public disclosure with Oligo Security for April 29, 2025. Despite the patch being available, adoption by the automotive industry has been slow.

As of mid-September 2025, four and a half months after the fix was released, few vendors have implemented it. Notably, no car manufacturers have updated their systems, leaving many vehicles exposed to the vulnerability.

Challenges in automotive software updates

The slow patch deployment is caused by several factors within the automotive industry, including a lack of standardization, slow update cycles, and the need for manual installations at a dealership.

“Unlike phones that update overnight, many in‑vehicle systems still require manual installs by users or dealership visits,” Katz stated. “Even when Apple shipped the patched SDK, automakers must adapt, test, and validate it across their platforms, requiring coordination with suppliers and middleware providers.”

To improve security, Oligo Security recommends wider adoption of over-the-air (OTA) update pipelines and better coordination throughout the supply chain.

Katz added that while “the technology exists, but the organizational alignment hasn’t caught up.” Streamlining these processes is necessary to deploy security patches more quickly.


Featured image credit

Tags: Apple CarPlayCVE-2025-24132vulnerability

Related Posts

Google’s Live Threat Detection is reportedly coming to more Android phones

Google’s Live Threat Detection is reportedly coming to more Android phones

October 23, 2025
Meta’s latest update focuses on protecting older users from scams

Meta’s latest update focuses on protecting older users from scams

October 22, 2025
US judge bans NSO Group from targeting WhatsApp users with Pegasus spyware

US judge bans NSO Group from targeting WhatsApp users with Pegasus spyware

October 21, 2025
AWS outage: A complete list of every site and app that went down

AWS outage: A complete list of every site and app that went down

October 20, 2025
Windows 11’s new security patch is a system-breaking disaster, fix it now

Windows 11’s new security patch is a system-breaking disaster, fix it now

October 20, 2025
Discord confirms support vendor hack exposing user data and government IDs

Discord confirms support vendor hack exposing user data and government IDs

October 20, 2025

LATEST NEWS

Is ChatGPT down again? Reports indicate ongoing outage

Path of Exile: Keepers of the Flame will be the Breach 2.0!

Google Meet now lets you move people in and out of meetings like a lobby

Sam Altman: AI will cause “strange or scary moments”

Anthropic gives Claude a real memory and lets users edit it directly

Nissan’s Sakura EV gets a solar roof that adds 1,800 miles a year

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.