Apple launched emergency security updates to patch two zero-day vulnerabilities that have been utilized in an “extraordinarily subtle assault” in opposition to particular targets’ iPhones.
The 2 vulnerabilities are in CoreAudio (CVE-2025-31200) and RPAC (CVE-2025-31201), with each bugs impacting iOS, macOS, tvOS, iPadOS, and visionOS.
“Apple is conscious of a report that this challenge could have been exploited in an especially subtle assault in opposition to particular focused people on iOS,” reads an Apple security bulletin launched immediately.
The CVE-2025-31200 flaw in CoreAudio was found by Apple and the Google Risk Evaluation crew. It may be exploited by processing an audio stream in a maliciously crafted media file to execute distant code on the system.
The corporate additionally mounted CVE-2025-31201, which Apple found. It’s a bug in RPAC that enables attackers with learn or write entry to bypass Pointer Authentication (PAC), an iOS security characteristic that helps defend in opposition to reminiscence vulnerabilities.
Apple has not shared additional particulars on how the issues have been exploited in assaults. BleepingComputer contacted Apple and Google with questions on flaws however has not obtained a response.
Each vulnerabilities have been mounted in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1, and visionOS 2.4.1.
The listing of units impacted by these zero-days is in depth, impacting older and newer fashions:
- iPhone XS and later
- iPad Professional 13-inch, iPad Professional 13.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad seventh technology and later, and iPad mini fifth technology and later
- macOS Sequoia
- Apple TV HD and Apple TV 4K (all fashions)
- Apple Imaginative and prescient Professional
Although these zero-day flaws have been exploited in extremely focused assaults, customers are nonetheless strongly suggested to put in them as quickly as potential.
With these vulnerabilities, Apple has mounted 5 zero-days because the begin of the 12 months, the primary in January (CVE-2025-24085), the second in February (CVE-2025-24200), and the third in March (CVE-2025-24201).
