When you purchase through links on our site, we may earn an affiliate commission. Hereโ€™s how it works.

Apple fixes two zero-day vulnerabilities used to spy on its customers

Two zero-day exploits were used in targeted attacks on iOS users. Apple has now patched both with a quiet security update.

Neowin · with 1 comment

A dark and sinister looking Apple logo

In a recently published document, Apple has disclosed that two zero-day vulnerabilities affecting iOS devices have likely been exploited in the wild.

The company confirmed that both bugs were used in "extremely sophisticated" attacks, and that they targeted specific individuals. No broad threat to the general user base was mentioned, but the wording is familiar. This kind of language tends to appear when things like spyware or state-sponsored activity are in the mix, much like what we saw with Pegasus a few years ago.

The two vulnerabilities are tied to CoreAudio and RPAC, two internal frameworks most users donโ€™t usually think about. But both sit deep in iOSโ€™s guts.

"Processing an audio stream in a maliciously crafted media file may result in code execution," Apple says about the CoreAudio bug (CVE-2025-31200), which it patched by fixing a memory corruption issue with better bounds checking.

The second issue, tracked as CVE-2025-31201, is a little more abstract but arguably more dangerous. It involves RPAC, a low-level system related to security architecture. The bug allowed attackers with read and write access to bypass pointer authentication, a feature that helps prevent memory-based attacks. Apple responded by simply removing the vulnerable code altogether.

Now, Apple doesnโ€™t usually admit when vulnerabilities are being actively exploited, unless it really has to. It also rarely names names or offers detailed breakdowns, especially when the dust is still settling.

So when a document like this goes out, itโ€™s usually a good bet that something serious happened behind the scenes. And considering that both fixes landed quietly ahead of WWDC, it's possible Apple wanted to get them out of the way before shifting the spotlight to iOS 19's big, flashy features like a revamped UI and smarter Siri.

This isn't the first time Apple devices have been quietly exploited. Back in 2021, the FORCEDENTRY zero-click iMessage bug was used to install Pegasus spyware without the user ever tapping a link.

Apple says the bugs are fixed in 18.4.1 on iOS and iPadOS, which is available now. If youโ€™re on an iPhone XS or later, or a compatible iPad, this is one of those updates you probably want to install right away.

There are also fixes available for tvOS 18.4.1, macOS Sequoia 15.4.1, and VisionOS 2.4.1.

Apple Intelligence
Next Article

Meta blocks Apple Intelligence across all of its iOS apps

GitHub Copilot o4 mini
Previous Article

Microsoft brings OpenAI o3 and o4-mini models to Azure and GitHub

1 Comment

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here