Executive Summary

In April 2025, Apple addressed two critical zero-day vulnerabilities, CVE-2025-31200 and CVE-2025-31201, which were being actively exploited in sophisticated attacks targeting iOS users. These vulnerabilities affected key components within iOS and iPadOS and have been patched in the latest software updates. Although specific threat actors have not been identified, the precision and sophistication of these exploits suggest the involvement of highly skilled, possibly state-backed actors.

Technical Information

The zero-day vulnerabilities CVE-2025-31200 and CVE-2025-31201 present significant security risks due to their exploitation of fundamental components in iOS and iPadOS.

CVE-2025-31200 is a vulnerability affecting CoreAudio, a critical system for managing audio streams on Apple devices. The flaw involves memory corruption triggered by processing malicious media files, potentially allowing unauthorized code execution. Apple addressed this vulnerability by enhancing bounds checking to prevent memory corruption.

CVE-2025-31201 impacts RPAC (Return Pointer Authentication Code), a security feature that guards against return-oriented programming (ROP) attacks, which are a form of control flow hijacking. The flaw could allow attackers to bypass Pointer Authentication, nullifying a core security defense. Apple mitigated this vulnerability by removing the problematic code and fortifying RPAC protections.

These zero-day vulnerabilities, if left unpatched, could allow attackers to gain unauthorized access to devices, execute arbitrary code, and potentially control the affected systems. The targeted nature and complexity of the attacks exploiting these vulnerabilities underscore the need for immediate patch application and heightened security awareness.

Exploitation in the Wild

The exploitation of these vulnerabilities has been part of an "extremely sophisticated" attack campaign targeting specific iOS users. Although there are no public reports detailing the specific threat actors involved, the nature of the exploits suggests advanced threat actors focusing on high-value individuals or entities.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting these vulnerabilities have not been publicly identified, the sophistication and targeted approach of the attacks indicate the involvement of state-sponsored or well-funded cybercriminal organizations. These groups typically operate in sectors such as government, finance, and critical infrastructure across regions including North America, Europe, and Asia.

Affected Product Versions

The following devices and versions are affected by these vulnerabilities: - iPad mini (5th generation and later) - iPhone XS and later - iPad Pro 13-inch and larger (3rd generation and later) - iPad Pro 11-inch (1st generation and later) - iPad Air (3rd generation and later) - iPad (7th generation and later)

Workaround and Mitigation

Apple has released updates to address these vulnerabilities with improved security measures. Users are strongly advised to update their devices to the latest software versions: - iOS 18.4.1 - iPadOS 18.4.1

To apply these updates, users should navigate to Settings > General > Software Update on their devices. In addition to updating, users should adopt additional security practices such as enabling two-factor authentication and regularly reviewing app permissions to mitigate potential risks.

References

• GBHackers article: 2 Apple Zero-Day Vulnerabilities Actively Exploited in "Extremely" Sophisticated iOS Attacks

Rescana is here for you

At Rescana, we prioritize helping our customers navigate the complexities of cybersecurity threats. Our Third Party Risk Management (TPRM) platform provides comprehensive insights into potential vulnerabilities and risks, enabling organizations to make informed decisions and enhance their security posture. Should you have any questions about this report or require assistance with any cybersecurity issues, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your digital assets.