Apple fixes two critical flaws in CoreAudio and RPAC in emergency patch

The attacks were aimed at “specific targeted individuals,” according to Apple

On April 16, 2025, Apple issued^[1] out-of-band security updates to repair two zero-day flaws, CVE-2025-31200 and CVE-2025-31201, actively exploited in targeted attacks.

The patches described in Apple's advisory target iOS, iPadOS, macOS, tvOS, and visionOS and are instructing users to update at once. Apple labeled the attacks “extremely sophisticated,” affecting known individuals, but did not comment on whom exactly was affected and how the bugs were attacked.

The impact

CVE-2025-31200 is a memory corruption bug in Apple's CoreAudio API for audio processing on their products. CVE-2025-31200 allows malicious code to be executed by an attacker using a hostile media file, which can compromise a device. CVE-2025-31201 affects RPAC (Return Pointer Authentication Code), which is a security feature that can mitigate code-reuse attacks.

This flaw could possibly enable attackers of read/write privilege to go past protection, granting them higher privilege. Apple remediated CVE-2025-31200 by adding better bounds checking and CVE-2025-31201 by removing the vulnerable code altogether.

The discovery of CVE-2025-31200 came from Apple and Google’s Threat Analysis Group (TAG), which tracks state-sponsored and advanced threats. CVE-2025-31201 was flagged by Apple alone. For now, Apple advises all users to update to iOS 18.4.1, macOS Sequoia 15.4.1, or other patched versions to stay safe.

Which devices are affected?

The zero-day vulnerabilities targeted a wide range of Apple devices, from older models to the latest releases.^[2] Affected devices include iPhone XS and newer, various iPads like the iPad Pro 13-inch, iPad Pro 13.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), and iPad mini (5th generation and later). This broad scope underscores the urgency for users to update their devices to the latest software versions.

The flaws also impact macOS Sequoia systems, Apple TV HD, Apple TV 4K (all models), and the Apple Vision Pro. With such a diverse list of affected hardware, these vulnerabilities could expose personal data or allow unauthorized access if left unpatched. Apple’s emergency updates, including iOS 18.4.1 and macOS Sequoia 15.4.1, are essential to protect users across these platforms from ongoing attacks.

Why these vulnerabilities matter

Zero-day exploits like CVE-2025-31200 and CVE-2025-31201 are bad in the sense that they are exploited before patches come out, leaving adversaries with an opportunity window.

Apple's notice implies that these kinds of vulnerabilities were targeted at “specific targeted individuals,” i.e., possibly journalists, activists, or business executives – individuals who are often in the crosshairs of nation-state hackers:^[1]

Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

The involvement of Google's TAG in this suggests there could be APT involvement because these actors tend to be both stealthy and targeted.

CoreAudio's part in audio processing makes CVE-2025-31200 particularly evil. Malicious audio content (perhaps a sent email or hosted website) might trigger the bug without a user doing anything, a method applied in previous attacks like CVE-2023-32434.

Though the effect of CVE-2025-31201 on RPAC lowers a vital barrier against sophisticated attacks, cybercrooks could find themselves enabled to manipulate the memory of a device. Cybersecurity experts, like those at CrowdStrike, point out that these types of vulnerabilities highlight the need for timely patching and layered defenses.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both flaws to its Known Exploited Vulnerabilities (KEV) catalog,^[3] signaling their severity and pushing federal agencies to patch by May 7, 2025. For everyday users, updating devices is the best defense against these elusive threats.

Apple’s battle against rising Zero-Days

This isn’t Apple’s first brush with zero-days in 2025. Earlier this year, the company patched CVE-2025-24085 in January^[4] and CVE-2025-24200 in February,^[5] both exploited in the wild.

These incidents show attackers are moving faster, exploiting weaknesses in features like CoreAudio and RPAC to hit specific targets, likely those with political or corporate influence. Apple’s collaboration with CISA underscores the severity, but limited disclosure leaves questions about the full scope of the threat.

For cybersecurity professionals, these vulnerabilities signal a need for constant readiness. While average users are less likely targets, unpatched devices could enable wider attacks, so it's imperative all Apple device users implement the patch as soon as possible.