Apple has once again found itself in the crosshairs of sophisticated threat actors. On Wednesday, April 16, 2025, the company rolled out critical security updates across iOS, iPadOS, macOS Sequoia, tvOS, and visionOS in response to two newly discovered zero-day vulnerabilities actively exploited in the wild.
These vulnerabilities—tracked as CVE-2025-31200 and CVE-2025-31201—were reportedly leveraged in precision-targeted attacks aimed at compromising high-value individuals. While Apple’s ecosystem is known for its tight-knit security, these flaws serve as a stark reminder that no platform is immune from exploitation.
In this blog, we’ll take a deep dive into:
- What the vulnerabilities are and how they work
- Who discovered them
- The nature of the attacks
- Devices impacted
- Broader implications for iOS and Apple device security
- How users and enterprises should respond
- Historical context of Apple’s 2025 zero-day timeline
Overview of the Two New Zero-Days
Let’s break down the two vulnerabilities patched by Apple and understand their impact.
🔐 CVE-2025-31200 – Core Audio Memory Corruption
- CVSS Score: 7.5 (High)
- Component: Core Audio
- Type: Memory corruption
- Impact: Arbitrary code execution
- Attack Vector: Maliciously crafted media file
This flaw resides in Core Audio, the framework responsible for audio processing across Apple devices. According to Apple’s advisory, this vulnerability allows an attacker to execute arbitrary code simply by tricking a user into processing a maliciously crafted audio stream.
The exploitation potential is significant—especially in drive-by attacks, spear-phishing, or media-sharing scenarios—where attackers could deliver weaponized audio files via messaging apps or social media platforms.
Fix: Apple resolved this vulnerability via improved bounds checking, limiting how memory buffers are allocated and accessed during audio stream processing.
🎯 CVE-2025-31201 – RPAC Pointer Authentication Bypass
- CVSS Score: 6.8 (Medium-High)
- Component: RPAC (possibly related to hardware-accelerated pointer authentication)
- Impact: Pointer Authentication Code (PAC) bypass
- Attack Vector: Requires arbitrary read/write capabilities
This vulnerability is technically more complex. It enables attackers to bypass PAC protections, a critical line of defense in modern Apple silicon chips (e.g., A16, A17, M2, M3). This technique is particularly dangerous because PAC is designed to protect against return-oriented programming (ROP) and code reuse attacks.
The attacker needs an existing arbitrary memory read/write primitive to exploit this, suggesting it is likely used in multi-stage attacks, possibly in conjunction with CVE-2025-31200 or other sandbox escape methods.
Fix: Apple eliminated the vulnerability by removing the insecure section of code, thereby eliminating the exploit path entirely.
Who Reported the Vulnerabilities?
Interestingly, these vulnerabilities were not disclosed by external researchers alone. The credit goes jointly to Apple’s internal security team and Google Threat Analysis Group (TAG)—a branch of Google focused on tracking sophisticated state-sponsored hacking groups.
This partnership hints at a broader intelligence-sharing effort to counteract state-backed or surveillance-related attacks, especially those aimed at journalists, activists, and political figures.
“Apple is aware of a report that this issue may have been actively exploited in extremely sophisticated attacks against specific targeted individuals.” – Apple
Targets: Who Was at Risk?
While Apple has not disclosed specific names or groups, the language—“specific targeted individuals”—is strongly indicative of targeted surveillance campaigns, such as:
- Investigative journalists
- Human rights defenders
- Dissidents in authoritarian regimes
- Executives or government officials
Given that Google TAG is involved, it’s possible this zero-day chain is part of an ongoing surveillance-for-hire campaign or commercial spyware operation, similar to NSO Group’s Pegasus, Cytrox Predator, or Intellexa’s Reign.
Devices Affected
The vulnerabilities affect a wide range of Apple devices running the latest software versions:
📱 iOS & iPadOS 18.4.1
- iPhone XS and later
- iPad Pro (13″, 11″, and 3rd-gen+ models)
- iPad Air (3rd-gen+)
- iPad 7th-gen and later
- iPad mini 5th-gen and later
💻 macOS Sequoia 15.4.1
- All Macs running macOS Sequoia
📺 tvOS 18.4.1
- Apple TV HD
- Apple TV 4K (all models)
🥽 visionOS 2.4.1
- Apple Vision Pro
Action Required: Users of the above devices should immediately update to the latest OS versions to mitigate the risk of exploitation.
Apple’s 2025 Vulnerability Timeline: 5 Zero-Days So Far
With these two disclosures, Apple has now patched five actively exploited zero-days in just four months of 2025.
| CVE ID | Component | CVSS | Type | Fixed In |
|---|---|---|---|---|
| CVE-2025-24085 | Core Media | 7.8 | Use-after-free | iOS 18.2 |
| CVE-2025-24200 | Accessibility | 4.6 | Authorization bypass | iOS 18.2.1 |
| CVE-2025-24201 | WebKit | 7.1 | Out-of-bounds write | iOS 18.3 |
| CVE-2025-31200 | Core Audio | 7.5 | Memory corruption | iOS 18.4.1 |
| CVE-2025-31201 | RPAC | 6.8 | Pointer Authentication bypass | iOS 18.4.1 |
This trend highlights how attackers are increasingly focused on Apple platforms, often leveraging zero-click, zero-day chains to compromise devices stealthily.
Why This Matters: The Growing iOS Threat Landscape
In previous years, iOS was often considered more secure than Android due to Apple’s walled-garden approach. However, 2024–2025 has exposed that attackers—particularly nation-state actors—are increasingly targeting:
- Apple’s proprietary media frameworks
- WebKit, used across browsers and apps
- PAC and sandboxing technologies
- Accessibility services to sidestep lockscreen protections
The increased sophistication of these exploits suggests well-funded, coordinated efforts, often outside the scope of casual cybercriminals.
Security Best Practices for Users
If you’re using an Apple device, here are a few steps to stay secure:
- ✅ Update Immediately
Go to Settings > General > Software Update and install the latest version. - 🔐 Enable Lockdown Mode (for at-risk individuals)
This feature dramatically reduces attack surface by disabling JavaScript, attachment previews, and other risky functions. - 📵 Avoid Untrusted Media Files
Don’t open audio files, PDFs, or images from unknown sources—even if they look harmless. - 🔍 Monitor Device Behavior
If your device is overheating, crashing, or draining battery without reason, consider a forensic checkup. - 🛡️ Use Security-Focused Apps
Consider antivirus and VPN apps vetted by security experts, especially if you travel or communicate in sensitive contexts.
Advice for Security Teams & Enterprises
For CISOs and IT security professionals, here are a few key takeaways:
- Deploy MDM (Mobile Device Management) tools to enforce software updates.
- Use SIEM/XDR to detect unusual device behaviors or network anomalies.
- Enable threat intelligence feeds focused on Apple platform threats.
- Educate users on spear-phishing campaigns and media-based attack vectors.
- Treat iPhones and iPads as critical enterprise endpoints, not secondary devices.
Conclusion: Apple’s Security Dilemma
Apple continues to invest heavily in security and privacy, but the increasing frequency of zero-day disclosures—combined with the sophistication of modern attacks—demonstrates the relentless arms race between defenders and attackers.
The partnership between Apple and Google TAG is a positive step toward cross-platform defense collaboration, but users must play their part by staying informed, vigilant, and updated.
As attackers evolve, so must we.
Stay Updated. Stay Secure.
🔔 Subscribe to our newsletter for real-time alerts on vulnerabilities, zero-days, threat intelligence, and platform-specific security insights.
🧠 Want to learn more about iOS internals or malware analysis? Check out our [Apple Security Deep Dive Series].
SoloSecurities
Add comment