Apple has deployed emergency updates to correct two serious security defects which were actively exploited in very targeted attacks against iPhones and other Apple devices. Correctives, published on April 16 as part of iOS 18.4.1 and macOS Sequoia 15.4.1, Vulnerabilities of the day zero.
Apple said these bugs had been used in an “extremely sophisticated attack on specific targeted individuals on iOS”.
Within iOS and macOS vulnerabilities
THE two bugsFollowed under the name of CVE-2025-31200 and CVE-2025-31201, affect the Coreaudio and RPAC components of Apple software.
- CVE-2025-31200 (Koreaudio): This bug allows hackers to take control of a device simply by running it in the processing of a malicious multimedia file. Apple has credited the discovery to its internal team and researchers to Google threat analysis group – A unit known for monitoring advanced cyber attacks, often linked to government actors.
- CVE-2025-31201 (RPAC): This defect affects a safety mechanism called the pointer authentication, designed to prevent memory attacks. Pirates who have read and wrote access to a device could bypass this protection and divert the system. Apple has found and corrected this bug internally by deleting the vulnerable code.
What Apple devices have been assigned?
Although Apple did not say who was behind the attacks or how many people have been affected, the language that the company used – “specific targeted individuals” – strongly suggests that these are not random hacks, but deliberate and precise operations. This, combined with the involvement of Google, has increased speculation on the possible links with the surveillance campaigns supported by the government.
Affected devices include:
- iPhone XS and more recent iPhones.
- 7th generation and more recent iPads.
- Mac running macOS Sequoia.
- All Apple TV HD and Apple TV 4K models.
- Apple Vision Pro helmet manager.
A growing list of zero days
These last fixes bring the number of zero-day Porgé by Apple this year at five years. Previous vulnerabilities were sent in January, February and March. Apple generally retains details on current exploits under Wraps, and this case is not different. The company did not explain exactly how the bugs were used.
