Apple Rushes Out Critical Fixes for Actively Exploited Zero-Day Vulnerabilities

Avatar photoByThe Droid Guy

Apple has released urgent security updates across its major platforms to address two newly discovered zero-day vulnerabilities that were actively exploited in targeted attacks. The flaws, affecting CoreAudio and Pointer Authentication components, are part of a growing pattern of sophisticated exploits aimed at high-value targets, prompting immediate patch deployment for iOS, macOS, iPadOS, visionOS, and Safari.

CoreAudio Flaw Could Allow Remote Code Execution

The first vulnerability, tracked as CVE-2025-31200, resides in CoreAudio, Apple’s system framework responsible for handling audio streams. This memory corruption issue could be triggered by a maliciously crafted audio file, allowing attackers to execute arbitrary code on the device without user interaction.

Apple credited Google’s Threat Analysis Group for assisting in the discovery, and resolved the issue by enhancing bounds checking to prevent memory overflows. According to cybersecurity researchers, this type of exploit is especially dangerous due to its ability to compromise a system simply through the processing of an audio stream, making it ideal for stealthy surveillance operations against specific targets.

No public attribution has been made, but experts speculate the attacks may be linked to nation-state actors, given the advanced technical nature of the exploit and its limited, targeted use.

Pointer Authentication Bypass Raises Red Flags

The second critical vulnerability, CVE-2025-31201, targets Pointer Authentication (PAC), a crucial security feature in Apple silicon designed to thwart memory-based attacks. This flaw allows adversaries with read and write access to bypass PAC protections, enabling code execution and system compromise without triggering pointer validation failures.

Apple chose to completely remove the vulnerable code rather than apply a patch, signaling the severity of the issue. Similar vulnerabilities have been observed in the past, such as the 2022 “PACMAN” exploit, which combined speculative execution with PAC bypass techniques. Apple confirmed that this new flaw had been exploited in a “highly sophisticated, targeted attack” against iOS users.

Previously Patched WebKit Zero-Day Also Part of Sophisticated Campaign

These new updates follow Apple’s March 11 emergency patches for a WebKit zero-day (CVE-2025-24201) that had been actively exploited in the wild. This bug, described as an out-of-bounds write issue, allowed malicious web content to break out of WebKit’s sandbox and execute arbitrary code.

The initial patches in March covered iOS 18.3.2, macOS Sequoia 15.3.2, iPadOS 18.3.2, visionOS 2.3.2, and Safari 18.3.1, with subsequent updates extended to older hardware via iOS 16.7.11, iOS 15.8.4, and corresponding iPadOS versions.

Together, the three zero-days addressed in 2025 so far mark a troubling trend in high-sophistication, zero-interaction exploits targeting Apple devices. These vulnerabilities are not believed to be used for mass exploitation, but rather for precision-targeted attacks likely connected to espionage or surveillance campaigns.

Security Update Coverage and Recommendations

Apple’s latest fixes are now available via:

  • iOS 18.4.1
  • macOS Sequoia 15.4.1
  • iPadOS 18.4.1
  • visionOS and Safari updates
  • Legacy updates for devices still on iOS 15/16

All users, particularly those in high-risk categories such as journalists, activists, and executives, are strongly advised to install the updates immediately. While Apple has not released technical indicators of compromise, the nature of the attack campaign underscores the urgent need for users to remain current with security patches.

These zero-day vulnerabilities further cement Apple’s role as a high-profile target for advanced cyber threat actors and highlight the escalating arms race between platform security and exploit development.

Leave a Reply

Your email address will not be published. Required fields are marked *