Apple has released emergency security updates to fix two zero-day vulnerabilities exploited in an “extremely sophisticated attack” against specific targets’ iPhones. The two bugs, CVE-2025-31200 and CVE-2025-31201, were found in CoreAudio and RPAC, respectively.
CVE-2025-31200 allows attackers to execute remote code on a device by processing maliciously crafted media files. CVE-2025-31201 enables attackers with read or write access to bypass Pointer Authentication (PAC), an iOS security feature.
Both vulnerabilities have been fixed in recent iOS and macOS updates, including iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, and macOS Sequoia 15.4.1. The impacted devices include newer iPhone models, iPads, Apple TVs, and the Apple Vision Pro.
Although the flaws were exploited in targeted attacks, users are advised to install the security updates immediately to protect themselves. This is the fifth zero-day fix for Apple this year, following previous patches in January, February, and March.
Source: https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-exploited-in-targeted-iphone-attacks