{"id":2797,"date":"2025-04-17T11:32:08","date_gmt":"2025-04-17T11:32:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2797"},"modified":"2025-04-17T11:32:08","modified_gmt":"2025-04-17T11:32:08","slug":"hackers-target-apple-users-in-an-extremely-sophisticated-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2797","title":{"rendered":"Hackers target Apple users in an \u2018extremely sophisticated attack\u2019"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Apple is urging immediate patching of two zero-day vulnerabilities in its CoreAudio and RPAC components, citing their use in what the iPhone maker describes as \u201cextremely sophisticated attacks.\u201d<\/p>\n

Tracked as CVE-2025-31200 (CoreAudio) and CVE-2025-31201 (RPAC), the vulnerabilities were exploited in the wild to carry out code execution and memory corruption attacks, respectively.<\/p>\n

\u201cApple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS,\u201d the company said for both the bugs in an advisory<\/a> issued on Wednesday.<\/p>\n

While only iPhone exploitations were reported, Apple warned that the flaw affects a broader range of its product line, including devices running iOS, iPadOS, tvOS, visionOS, and macOS.<\/p>\n

Hackers abused flaws for code execution and authentication bypass<\/h2>\n

The issue impacting Apple\u2019s CoreAudio, a low-level API<\/a> for managing all things audio on Apple operating systems, is a high-severity, CVSS 7.5\/10, memory corruption flaw. \u201cProcessing an audio stream in a maliciously crafted media file may result in code execution,\u201d an NVD description<\/a> said.<\/p>\n

While further exploitation details were skipped by Apple, code execution using this attack vector can potentially lead to data theft, surveillance, or further compromise.<\/p>\n

Reconfigurable Processing Architecture Core (RPAC) is a specialized hardware block in newer Apple Silicon aimed at advanced compute tasks. The vulnerability, CVE-2025-31201, is a medium-severity\u2014CVSS 6.8\/10\u2014coding oversight that allows an attacker with arbitrary read and write capability to bypass Pointer Authentication.<\/p>\n

Pointer Authentication protects from memory corruption attacks on a hardware component by cryptographically signing pointers\u2013return addresses. Bypassing this check could potentially enable privilege escalation, persistence, and kernel compromise.<\/p>\n

<\/a>Flaws patched across the board<\/h2>\n

According to the NVD description, Apple issued a fix for all impacted operating systems. Patched Apple OS rollouts include tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1, iPadOS 18.4.1, and macOS Sequoia 15.4.1.<\/p>\n

Specific iPhones and iPads that shall be receiving the patch include iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Apple said. <\/p>\n

These flaws make up a total of five zero-days Apple has had to plug this year, previously hit with one each in January, February, and March. Apple is operating on a razor-thin margin for error, with threat actors punishing even the slightest coding missteps, as it closes in on its 2024 tally of six zero-days, including the infamous duo used in Operation Triangulation<\/a>, in just under four months.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Apple is urging immediate patching of two zero-day vulnerabilities in its CoreAudio and RPAC components, citing their use in what the iPhone maker describes as \u201cextremely sophisticated attacks.\u201d Tracked as CVE-2025-31200 (CoreAudio) and CVE-2025-31201 (RPAC), the vulnerabilities were exploited in the wild to carry out code execution and memory corruption attacks, respectively. \u201cApple is aware […]<\/p>\n","protected":false},"author":0,"featured_media":2798,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2797"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2797"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2797\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2798"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}