Apple fixes two actively exploited iOS zero-days

Apple fixes two actively exploited iOS zero-days

Apple has rolled out critical security updates across its platforms, including iOS, iPadOS, macOS Sequoia, tvOS, and visionOS, to patch two newly discovered security flaws that are reportedly being actively exploited in the wild.

One of the zero-day flaws is tracked as CVE-2025-31200 and is described as a memory corruption flaw in the Core Audio framework, potentially allowing arbitrary code execution when processing maliciously crafted media files.

The second flaw is CVE-2025-31201, an improper authentication issue in the RPAC component, which could allow attackers with arbitrary read/write access to bypass Pointer Authentication security protections.

According to Apple, the flaws have been used in “extremely sophisticated attacks” targeting specific individuals, underscoring the urgent need for users to update their devices.

The security updates are available for iOS 18.4.1 / iPadOS 18.4.1 iPhone XS and later, iPad Pro 13-inch and newer, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later);

macOS Sequoia 15.4.1; tvOS 18.4.1 (Apple TV HD and all Apple TV 4K models); visionOS 2.4.1 (Apple Vision Pro).

CVE-2025-31200 was mitigated via improved bounds checking, while CVE-2025-31201 was addressed by removing the vulnerable code.

With this latest update, Apple has now patched a total of five actively exploited zero-day vulnerabilities since the start of 2025, including:

  • CVE-2025-24085 – A use-after-free bug in Core Media that could elevate privileges for malicious apps

  • CVE-2025-24200 – An authorization issue in Accessibility used to disable USB Restricted Mode

  • CVE-2025-24201 – An out-of-bounds write in WebKit enabling sandbox escapes via crafted web content

Users are strongly encouraged to update their devices immediately to minimize the risk of attacks


Back to the list

Latest Posts

Nation-state hackers exploit zero-day in Commvault Azure environment

Nation-state hackers exploit zero-day in Commvault Azure environment

Additionally, SonicWall has warned that two flaws affecting its SMA100 appliances are being actively exploited in the wild.
1 May 2025
New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

After Garantex’s domains were seized, Grinex was immediately promoted in Telegram channels.
30 April 2025
TheWizards APT group uses SLAAC spoofing to perform AitM attacks

TheWizards APT group uses SLAAC spoofing to perform AitM attacks

By hijacking the update process, TheWizards serve malicious updates that download and execute backdoors like WizardNet.
30 April 2025