Full Report
Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-31200 (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio
Analysis Summary
# Vulnerability: Actively Exploited Apple Zero-Days in Core Audio and RPAC
## CVE Details
- CVE ID: CVE-2025-31200, CVE-2025-31201
- CVSS Score: 7.5 (CVE-2025-31200) / 6.8 (CVE-2025-31201) (Severity not explicitly labeled, but derived from scores)
- CWE: Memory Corruption (CVE-2025-31200)
## Affected Systems
- **Products:** iOS, iPadOS, macOS Sequoia, tvOS, visionOS
- **Versions:** Prior to the patched versions listed below (iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1)
- **Configurations:** Any device running the affected operating systems.
## Vulnerability Description
This summary covers two distinct vulnerabilities actively exploited by attackers:
1. **CVE-2025-31200 (Core Audio Memory Corruption):** A memory corruption vulnerability within the Core Audio framework. Successful exploitation could allow remote code execution when a user processes a specially crafted media file containing an audio stream.
2. **CVE-2025-31201 (RPAC Pointer Authentication Bypass):** A vulnerability in the RPAC component that could be leveraged by an attacker who has already achieved arbitrary read/write capabilities to bypass Pointer Authentication protections.
Apple notes that CVE-2025-31200 specifically was used in an "extremely sophisticated attack against specific targeted individuals on iOS."
## Exploitation
- **Status:** Actively exploited in the wild (Zero-day status for both).
- **Complexity:** Not specified, but the context implies high sophistication required for successful targeting.
- **Attack Vector:** Network (implied via crafted media file processing) for CVE-2025-31200; Local/Privilege escalation context for CVE-2025-31201 based on prerequisite conditions.
## Impact
* **Confidentiality:** High (Potential for code execution and unauthorized access/data extraction).
* **Integrity:** High (Potential for code execution altering system state).
* **Availability:** Medium to High (Depends on the nature of the sophisticated attack chain).
## Remediation
### Patches
Apple released security updates addressing these flaws:
* **iOS 18.4.1 and iPadOS 18.4.1:** For iPhone XS and later, various iPad models (Pro 13-inch 3rd gen+, 11-inch 1st gen+, Air 3rd gen+, 7th gen+), and iPad mini 5th gen+.
* **macOS Sequoia 15.4.1:** For Macs running macOS Sequoia.
* **tvOS 18.4.1:** For Apple TV HD and Apple TV 4K (all models).
* **visionOS 2.4.1:** For Apple Vision Pro.
**Fixes:**
* CVE-2025-31200 was addressed by Apple with **improved bounds checking**.
* CVE-2025-31201 was addressed by **removing the vulnerable section of code**.
### Workarounds
There are no specific workarounds listed, as the vulnerabilities are actively exploited zero-days. Immediate patching is the required mitigation.
## Detection
- **Indicators of compromise:** Not specified in the summary, but monitoring for unexpected behavior related to media processing or system integrity checks is generally advised for actively exploited zero-days.
- **Detection methods and tools:** System auditing and endpoint detection and response (EDR) tools should monitor for suspicious calls related to Core Audio or RPAC functionalities, although highly targeted attacks may employ advanced evasion techniques.
## References
- [Apple Security Update Advisories (General Reference)](https://support.apple.com/en-us/100100)
- [iOS/iPadOS Update Details](https://support.apple.com/en-us/122282)
- [macOS Sequoia Update Details](https://support.apple.com/en-us/122400)
- [tvOS Update Details](https://support.apple.com/en-us/122401)
- [visionOS Update Details](https://support.apple.com/en-us/122402)