Apple has deployed emergency security patches on Wednesday across its operating systems, scrambling to fix a pair of zero-day vulnerabilities confirmed to be under active exploitation. The company acknowledged that the flaws, affecting core audio processing and a specific processor security feature, were weaponized in targeted campaigns.
In its advisory, Apple noted it was aware of reports that “this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.” The critical updates target not just iOS and iPadOS, but also macOS, tvOS, and visionOS, signaling the widespread nature of the underlying issues.
Audio Flaw Allows Code Execution
One vulnerability, identified as CVE-2025-31200, creates a serious risk through Apple’s CoreAudio framework. This memory corruption defect means attackers could potentially run arbitrary code on a device if a user simply processes a carefully crafted, malicious audio file. This type of exploit could lead to data theft or broader system compromise.
Reflecting the potential severity, CISA-ADP assigned the flaw a CVSS 3.1 score of 7.5 (High), citing high potential impacts on confidentiality, integrity, and availability, although its vector requires user interaction and has high complexity. Apple stated this vulnerability was addressed through “improved bounds checking” and credited its discovery to both internal teams and Google’s Threat Analysis Group (TAG).
Processor Security Feature Bypassed
The second issue, CVE-2025-31201, targets the Reconfigurable Processing Architecture Core (RPAC) found in newer Apple Silicon chips. This vulnerability allowed attackers who had already gained read/write access on a device to sidestep Pointer Authentication (PAC).
PAC is a hardware-level security feature in ARM architectures designed to cryptographically sign pointers, making it harder for attackers to hijack program control flow through techniques like return-oriented programming (ROP). Successfully bypassing PAC could enable deeper system attacks, such as privilege escalation. Apple, which discovered this flaw internally, stated it was fixed by “removing the vulnerable code.”
Updates Span iPhones, iPads, Macs, Apple TV, and Vision Pro
Although the active attacks were reported against iOS devices, the patches confirm a wider impact. The fixes are included in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.
Hardware receiving the updates includes iPhone XS and newer models; various iPad Pros (11-inch 1st gen+, 12.9-inch 3rd gen+, 13-inch), iPad Airs (3rd gen+), standard iPads (7th gen+), and iPad minis (5th gen+); along with Apple TV HD, all Apple TV 4K models, and the Apple Vision Pro. Given the confirmation of active exploitation, users are advised to apply these updates swiftly.
Zero-Days Mount Amidst Growing Apple Threats
These two flaws mark the fourth and fifth zero-day vulnerabilities Apple has publicly patched in 2025, putting the company on pace to potentially exceed its 2024 total of six (which included flaws used in the Operation Triangulation spying campaign) in just the first few months of the year.
The previously patched 2025 zero-days were CVE-2025-24085 (January), CVE-2025-24200 (February), and CVE-2025-24201 (March). This uptick occurs as security researchers and reports, like one in March concerning phishing campaigns targeting Mac users, suggest increased attacker interest in Apple’s ecosystem, challenging its past reputation as a less frequent target than Windows. While the current attacks were described as highly targeted, the availability of patches necessitates action from all users with affected devices.
