Apple on Wednesday issued emergency security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to fix two newly discovered vulnerabilities that the company says are being actively exploited in the wild.
The flaws—both considered high-risk—have been tracked as CVE-2025-31200 and CVE-2025-31201.
- CVE-2025-31200 (CVSS score: 7.5)- A memory corruption vulnerability within the Core Audio framework. Apple said this vulnerability could enable attackers to execute arbitrary code by processing a maliciously crafted media file.
- CVE-2025-31201 (CVSS score: 6.8)- Affects RPAC component. It allows attackers with arbitrary read and write capabilities to bypass Pointer Authentication, a key security mechanism on Apple devices.
The vulnerabilities were discovered and reported by Apple’s internal security team, with Google’s Threat Analysis Group (TAG) also credited for identifying CVE-2025-31200.
These patches mark the fourth and fifth zero-day vulnerabilities addressed by Apple so far this year, signaling an ongoing trend of advanced threat actors targeting Apple’s products.
Mitigation
Apple said it mitigated the CVE-2025-31200 by implementing improved bounds checking, while CVE-2025-31201 was addressed by removing the vulnerable section of code entirely. In an advisory, Apple noted that the flaws were “exploited in an extremely sophisticated attack against specific targeted individuals on iOS,” though it did not disclose additional details about the campaign or affected parties.
Conclusion
Apple users are strongly urged to update their devices as soon as possible to ensure protection against these actively exploited threats. As always, the company refrained from providing specific details until a majority of users have installed the patches.
Follow us on X and Linkedin for the latest cybersecurity news
Source:hxxps[://]support[.]apple[.]com/en-us/122400
