Menu
Apple has released emergency security updates for iOS/iPadOS, macOS, tvOS, and visionOS that fix two zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) that have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
CVE-2025-31200 affects CoreAudio, an API Apple devices use for processing audio. The memory corruption vulnerability can be triggered with a maliciously crafted media file: when the audio stream in it is processed, it allows attackers to execute malicious code.
CVE-2025-31201 is an issue in RPAC (Return Pointer Authentication Code), a security feature that aims to thwart return-oriented programming attacks and similar code reuse exploits.
The vulnerability allows an attacker with arbitrary read and write capability to bypass pointer authentication. Apple fixed the security hole by removing the vulnerable code.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
