2 Apple Zero-Day Vulnerabilities Actively Exploited in “Extremely” Sophisticated iOS Attacks

Apple has urgently rolled out iOS 18.4.1 and iPadOS 18.4.1 to patch two zero-day vulnerabilities that were actively exploited in “extremely sophisticated” attacks aimed at specific iOS users.

The flaws, found in the CoreAudio and RPAC components, posed serious risks, including unauthorized code execution and the bypassing of critical security protections.

The first vulnerability, CVE-2025-31200, affects CoreAudio, a key system for handling audio streams on iOS and iPadOS devices.

Apple disclosed that processing a maliciously crafted media file could exploit a memory corruption flaw, potentially allowing attackers to run harmful code.

Apple and Google’s Threat Analysis Group confirmed reports of this issue’s use in targeted attacks, indicating a highly advanced operation.

The second issue, CVE-2025-31201, lies in RPAC, a security feature designed to thwart return-oriented programming attacks.

This flaw could enable an attacker with read and write access to disable Pointer Authentication, undermining a core defense mechanism.

The same targeted campaign also exploited this vulnerability, which Apple acknowledged and fixed by removing the problematic code.

Affected Devices

The updates apply to a wide range of devices, including

• iPad mini (5th generation and later)
• iPhone XS and later
• iPad Pro 13-inch, iPad Pro 13.9-inch (3rd generation and later)
• iPad Pro 11-inch (1st generation and later)
• iPad Air (3rd generation and later)
• iPad (7th generation and later)

Apple resolved the CoreAudio flaw through enhanced bounds checking and eliminated the RPAC vulnerability by excising the affected code.

Apple has not revealed specifics about the targets or perpetrators, but the precision and complexity of the attacks suggest involvement of advanced threat actors, possibly state-backed groups.

Zero-day vulnerabilities, which exploit unknown flaws, are typically deployed in high-stakes scenarios like espionage or attacks on prominent individuals. Cybersecurity experts warn that such threats, while rare, underscore the need for vigilance.

“These exploits are a stark reminder of how critical timely updates are,” said a cybersecurity analyst familiar with the issue. “Users must act quickly to secure their devices against these kinds of targeted threats.”

True to its security protocol, Apple withheld details of the vulnerabilities until fixes were ready, prioritizing user safety.

The company’s security release notes, issued on April 16, 2025, outline the vulnerabilities and affected devices. Additional details are available on the Apple Product Security page.

Users can update to iOS 18.4.1 or iPadOS 18.4.1 by navigating to Settings > General > Software Update.

Apple urges all eligible users to install the update immediately to protect against potential exploitation.