Apple Patches Two Zero-Day Flaws Exploited in Sophisticated iOS Attacks

Apple has released iOS 18.4.1 and iPadOS 18.4.1 to fix two critical zero-day vulnerabilities exploited in highly targeted cyberattacks. The flaws affected CoreAudio and RPAC, potentially allowing attackers to run malicious code and bypass key security protections on iPhones and iPads.

Zero-day exploits Apr 17, 2025 Add to Reading List

Apple Patches Two Zero-Day Flaws Exploited in Sophisticated iOS Attacks

Apple Urgently Patches Two Actively Exploited Zero-Day Vulnerabilities in iOS 18.4.1

Apple has released critical updates for iOS and iPadOS—version 18.4.1—to patch two zero-day vulnerabilities that were actively exploited in what are being described as “extremely sophisticated” cyberattacks targeting specific iPhone users.

Two Zero-Days, One Coordinated Attack

The two vulnerabilities, tracked as CVE-2025-31200 and CVE-2025-31201, were found in CoreAudio and RPAC, both fundamental components of Apple’s operating system. These flaws allowed attackers to execute arbitrary code and bypass one of the system’s strongest security defenses.

CVE-2025-31200 (CoreAudio): This flaw involved a memory corruption issue triggered by malicious media files. If exploited, it could allow attackers to run unauthorized code on a victim’s device.
CVE-2025-31201 (RPAC): This vulnerability, affecting Apple’s Return-oriented Programming Attack Countermeasure, enabled attackers with read/write access to bypass Pointer Authentication, a key protection against low-level code manipulation.

Apple, in partnership with Google’s Threat Analysis Group, confirmed that both vulnerabilities were exploited in a highly targeted campaign. Though Apple has not disclosed who was targeted or who was behind the attacks, the precision and complexity suggest a threat actor with significant resources—possibly state-sponsored.

Affected Devices

The issues affect a wide range of Apple devices, including:

iPhone XS and later
iPad Pro 13-inch and 13.9-inch (3rd generation and later)
iPad Pro 11-inch (1st generation and later)
iPad Air (3rd generation and later)
iPad (7th generation and later)
iPad mini (5th generation and later)

How Apple Responded

Apple addressed the CoreAudio vulnerability with improved bounds checking to prevent memory corruption, while the RPAC flaw was mitigated by removing the vulnerable code entirely. As per Apple’s long-standing policy, details were kept under wraps until the fixes were ready to deploy, protecting users from further exploitation.

Why This Matters

Zero-day exploits—attacks that take advantage of previously unknown vulnerabilities—are rare and valuable tools, often used in cyber espionage and surveillance. Their use in these incidents underscores a growing global concern about digital threats aimed at individuals, such as journalists, activists, or high-profile targets.

“These kinds of attacks are not just technical—they’re political and strategic,” said a cybersecurity expert familiar with the matter. “It’s a reminder of how crucial regular updates are for device security.”