Apple Fixes Two Zero Days in iOS

Apple has released an update for iOS and macOS that fixes two serious vulnerabilities that have been actively exploited in the wild. 

The updates, released Thursday, fix flaws in the CoreAudio and RPAC components of the operating systems. Apple does not provide technical details of the bugs in its security updates, so it’s difficult to tell exactly what the underlying issues are. But, one of the vulnerabilities was discovered by Google’s Threat Analysis Group, a highly specialized team that tracks APT groups and other highly skilled attackers, which suggests that bug (CVE-2025-31200) may have been exploited by an APT. 

That vulnerability is a an issue in the CoreAudio component of iOS and macOS, which is the low-level audio processing infrastructure in the operating systems. 

“Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS,” the advisory says. 

The second vulnerability (CVE-2025-31201) is in RPAC in both iOS and macOS Sequoia. 

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS,” the advisory says.

The updated versions of the affected software are macOS Sequoia 15.4.1 and iOS 18.4.1. The bugs were also patched in tvOS 18.4.1 and visionOS 2.4.1.