NEWS Apple Patches Two 0-Day Exploits Used in iPhone Attacks

[ExcalibuR]

The company rolls out emergency updates for all platforms, including iOS, macOS, and visionOS.​

​

Apple has released out-of-band security updates to address two zero-day vulnerabilities exploited in a "highly sophisticated attack" targeting a limited number of iPhone users. The flaws—CVE-2025-31200 (CoreAudio) and CVE-2025-31201 (RPAC)—affect all major Apple operating systems: iOS, macOS, tvOS, iPadOS, and visionOS.

According to Apple, the CoreAudio bug allows an attacker to execute remote code execution (RCE) by tricking a device into processing a maliciously crafted audio file. The vulnerability was discovered by Apple’s security team in collaboration with Google’s Threat Analysis Group (TAG).

The second flaw, in the RPAC (Return-oriented Programming with PAC bypass) component, circumvents Pointer Authentication (PAC)—a critical memory protection feature in iOS. This exploit was identified solely by Apple’s internal researchers.

Neither Apple nor Google has disclosed specific attack details, describing the incidents as "extremely targeted" and using "exceptionally advanced techniques."

Affected Devices & Updates​

The fixes are included in:

• iOS 18.4.1
• iPadOS 18.4.1
• tvOS 18.4.1
• macOS Sequoia 15.4.1
• visionOS 2.4.1

Impacted devices include:

• All iPhone models since XS
• iPad Pro, iPad Air, iPad mini
• Apple TV
• Vision Pro headset

Though the attacks were limited, Apple strongly urges all users to install the updates immediately. These mark the fourth and fifth zero-days patched by Apple this year, following fixes in January, February, and March.