Heard of AirPlay?. Every now and then, you get the chance to work on something truly impactful. Excited to unveil AirBorne, a new set of vulnerabilities that can be chained by attackers to potentially take control of devices that support AirPlay

Full research:

@AnthropicAI has fixed the issue promptly and professionally - It's amazing to see OS projects that really care for their users' security!.

We also spotted the MCP inspector instances that are exposed to the internet - more on that in the blog. This version locks down the local server behavior and adds command validation, improved documentation, as well as DNS rebinding protection against 0000day.

No interaction needed other than visiting a website from a browser. Just having the inspector running was enough, using the default configuration. Mitigation: Update to MCP Inspector v0.14.1 in your global NPM instance (npm install -g) and inside each project.

The inspector starts a local MCP proxy server that: - Accepts arbitrary bash commands as arguments - Has no auth - Binds to localhost, which is reachable by any webpage via #0000 tricks So yes, you read that right: visit a malicious website → get instant Remote Code Execution.

The MCP Inspector tool automatically runs every time you evaluate/debug an MCP project - it’s the standard method recommended by Anthropic, used by: - mcp dev - npx @modelcontextprotocol/inspector- Even OSS MCP servers from Google, OpenAI, Microsoft, etc.

CVE-2025-49596: Critical RCE in Anthropic MCP Inspector. I stumbled across a nasty 0day in Anthropic’s official MCP Inspector. Turns out: any public website could have exploited it to run arbitrary bash commands.

RT @Uri__S: @lukOlejnik Usage of localhost APIs reminds me of @avi_lum's research . Interesting to see it's actual….

RT @mqst_: 🔓 0.0.0.0 Day: Exploiting Localhost APIs From the Browser. Blog: author: @avi_lum . #infosec https://t.….

RT @shaunmmaguire: As a reminder, the Governor of Pennsylvania’s home was fire bombed. During the Jewish holiday of Passover. By a pro-Pale….

RT @GalElbaz1: You know our research made an impact when @e_kaspersky (!!!) shares it. Our #Airborne deep dive into a zero-click, wormab….

RT @e_kaspersky: AirBorne: Attacks on Apple devices through vulnerabilities in AirPlay. Why a big deal and how to stay safe from these att….

RT @OligoSecurity: Oligo Security researchers uncovered critical vulnerabilities in Apple's AirPlay protocol, affecting billions of devices….

RT @The_Cyber_News: 🚨 AirPlay 0-Click RCE Vulnerability Enables Remote Device Takeover via Wi-Fi . Read more: ✅ A….

RT @WIRED: Apple products are known for regularly receiving updates, but since many smart-home devices are rarely patched, these wirelessly….

RT @WIRED: Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party….

RT @a_greenberg: Flaws in Apple's AirPlay protocol for streaming media to speakers, TVs, and set-top boxes have left millions of these devi….

Can’t wait to see what we find next! .Check out the full research here: . And the @WIRED story about the disclosure here: . @GalElbaz1 @OligoSecurity.

One of the best parts about this is that the research is the result of over a year of work. Our team’s Shelltorch research led us to uncover ShadowRay, ShadowRay led us to #0000 Day, and #0000 Day led us to investigate AirBorne.

Both Apple devices and third-party devices that leverage the AirPlay SDK are affected. From zero-click and one-click RCE to ACL bypass and MITM attacks, the vectors and attack outcomes cover a wide range in the 17 CVEs issued by Apple!.