Apple released emergency security updates to patch two zero-day vulnerabilities that were used in an "extremely sophisticated attack" against specific targets' iPhones.
The two vulnerabilities are in CoreAudio (CVE-2025-31200) and RPAC (CVE-2025-31201), with both bugs impacting iOS, macOS, tvOS, iPadOS, and visionOS.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS," reads an
Apple security bulletin released today.
The CVE-2025-31200 flaw in CoreAudio was discovered by Apple and the Google Threat Analysis team. It can be exploited by processing an audio stream in a maliciously crafted media file to execute remote code on the device.
The company also fixed CVE-2025-31201, which Apple discovered. It is a bug in RPAC that allows attackers with read or write access to bypass Pointer Authentication (PAC), an iOS security feature that helps protect against memory vulnerabilities.
Apple has not shared further details on how the flaws were exploited in attacks. BleepingComputer contacted Apple and Google with questions about flaws but has not received a response.
Both vulnerabilities were fixed in
iOS 18.4.1,
iPadOS 18.4.1,
tvOS 18.4.1,
macOS Sequoia 15.4.1, and
visionOS 2.4.1.
