Full Report
Apple released emergency security updates to patch two zero-day vulnerabilities that were used in an "extremely sophisticated attack" against specific targets' iPhones. [...]
Analysis Summary
# Vulnerability: Apple Zero-Days Exploited in Targeted Attacks (CoreAudio RCE and PAC Bypass)
## CVE Details
Based on the context, two new CVEs were fixed simultaneously. Specific severity scores and CWEs are not provided in the text, but they are described as being exploited in "extremely sophisticated attack against specific targeted individuals."
- CVE ID: CVE-2025-31200 (CoreAudio RCE)
- CVE ID: CVE-2025-31201 (RPAC Bypass)
- CVSS Score: Not specified
- CWE: Not specified
## Affected Systems
- Products: iOS, macOS, tvOS, iPadOS, visionOS
- Versions: All versions prior to the specified patch releases.
- Configurations: Potential impact varies based on the specific vulnerability (audio stream processing vs. memory access).
**Specific Impacted Devices (All models running vulnerable software):**
* iPhone XS and later
* iPad Pro (13-inch, 13.9-inch 3rd gen and later, 11-inch 1st gen and later), iPad Air (3rd gen and later), iPad (7th generation and later), iPad mini (5th generation and later)
* macOS Sequoia
* Apple TV HD and Apple TV 4K (all models)
* Apple Vision Pro
## Vulnerability Description
Two separate vulnerabilities were patched:
1. **CVE-2025-31200 (CoreAudio):** Flaw discovered by Apple and Google Threat Analysis Team. It allows an attacker to achieve **Remote Code Execution (RCE)** on the device by processing an audio stream contained within a maliciously crafted media file.
2. **CVE-2025-31201 (RPAC Bug):** Flaw discovered by Apple. This impacts RPAC (likely referring to components related to Pointer Authentication Code). It allows an attacker with read or write access to **bypass Pointer Authentication (PAC)**, a security feature designed to defend against memory corruption vulnerabilities.
## Exploitation
- Status: **Exploited in the wild** (in a targeted manner).
- Complexity: Described as an "extremely sophisticated attack." (Implies Medium/High, though not explicitly scored).
- Attack Vector: Network/Adjacent (via crafted media file leading to RCE).
## Impact
The specific security bulletin did not detail impact levels, but based on the technical descriptions:
- Confidentiality: High (RCE/PAC bypass allows deep system access).
- Integrity: High (RCE/PAC bypass allows arbitrary code execution/modification).
- Availability: Medium to High (Depending on the payload executed).
## Remediation
### Patches
Apple released updates fixing both zero-days across their operating systems:
* **iOS:** Version 18.4.1
* **iPadOS:** Version 18.4.1
* **tvOS:** Version 18.4.1
* **macOS:** Sequoia 15.4.1
* **visionOS:** Version 2.4.1
### Workarounds
No specific workarounds were mentioned, as patching is strongly advised immediately due to active, targeted exploitation.
## Detection
- Indicators of compromise (IOCs) were not detailed in this summary.
- Detection methods are focused on ensuring all endpoints are running the patched operating system versions, as the attack vector involved crafted media files.
## References
- Vendor Advisory (iOS/iPadOS): support.apple.com/en-us/122282 (Defanged)
- Vendor Advisory (tvOS): support.apple.com/en-us/122401 (Defanged)
- Vendor Advisory (macOS): support.apple.com/en-us/122400 (Defanged)
- Vendor Advisory (visionOS): support.apple.com/en-us/122402 (Defanged)