Apple is urging immediate patching of two zero-day vulnerabilities in its CoreAudio and RPAC components, citing their use in what the iPhone maker describes as “extremely sophisticated attacks.”
Tracked as CVE-2025-31200 (CoreAudio) and CVE-2025-31201 (RPAC), the vulnerabilities were exploited in the wild to carry out code execution and memory corruption attacks, respectively.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS,” the company said for both the bugs in an advisory issued on Wednesday.
While only iPhone exploitations were reported, Apple warned that the flaw affects a broader range of its product line, including devices running iOS, iPadOS, tvOS, visionOS, and macOS.
Hackers abused flaws for code execution and authentication bypass
The issue impacting Apple’s CoreAudio, a low-level API for managing all things audio on Apple operating systems, is a high-severity, CVSS 7.5/10, memory corruption flaw. “Processing an audio stream in a maliciously crafted media file may result in code execution,” an NVD description said.
While further exploitation details were skipped by Apple, code execution using this attack vector can potentially lead to data theft, surveillance, or further compromise.
Reconfigurable Processing Architecture Core (RPAC) is a specialized hardware block in newer Apple Silicon aimed at advanced compute tasks. The vulnerability, CVE-2025-31201, is a medium-severity—CVSS 6.8/10—coding oversight that allows an attacker with arbitrary read and write capability to bypass Pointer Authentication.
Pointer Authentication protects from memory corruption attacks on a hardware component by cryptographically signing pointers–return addresses. Bypassing this check could potentially enable privilege escalation, persistence, and kernel compromise.
Flaws patched across the board
According to the NVD description, Apple issued a fix for all impacted operating systems. Patched Apple OS rollouts include tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1, iPadOS 18.4.1, and macOS Sequoia 15.4.1.
Specific iPhones and iPads that shall be receiving the patch include iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Apple said.
These flaws make up a total of five zero-days Apple has had to plug this year, previously hit with one each in January, February, and March. Apple is operating on a razor-thin margin for error, with threat actors punishing even the slightest coding missteps, as it closes in on its 2024 tally of six zero-days, including the infamous duo used in Operation Triangulation, in just under four months.
No Responses