šŸŸ¢ CVE-2025-31201

CVE-2025-31201 is a Pointer Authentication bypass vulnerability affecting Apple consumer devices (iOS, iPadOS, macOS, tvOS, visionOS). Despite being exploited in the wild and requiring network access, this affects client-side operating systems that are rarely exposed as internet-facing servers.

ā† Back to Overview
LOW_RISK
Risk Level
7.5
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 ā€” Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

šŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-04-16

Added to CISA KEV: 2025-04-17 1 DAY BETWEEN CVE AND KEV

šŸŽÆ Recommendations:

šŸ” Web Intelligence (Kagi Ā· 2026-06-04)

CVE-2025-31201 is a security vulnerability in Apple's Pointer Authentication (PAC) mechanism, specifically involving the Return Pointer Authentication Code (RPAC) component [2] [4].

Below is a summary of the known details regarding this vulnerability:

Active Exploitation and Threat Actor Usage
  • Status: Apple acknowledged that this vulnerability may have been exploited in the wild prior to its patch [3].
  • Nature of Attacks: It was identified as part of a sophisticated, targeted attack chain rather than a widespread ransomware campaign [2] [8].
  • Exploit Chain: It was notably used in conjunction with CVE-2025-31200, a zero-click remote code execution (RCE) vulnerability in iOS CoreAudio, to achieve kernel escalation and bypass security protections [1].
Attack Method and Requirements
  • Exploitation Requirements: The vulnerability requires the attacker to already possess arbitrary memory read and write capabilities on the target system [3] [6].
  • Mechanism: It allows an attacker to bypass Pointer Authentication, a hardware-based security feature designed to prevent code execution attacks by signing pointers [6] [2].
Impact
  • Successful Exploitation: By bypassing Pointer Authentication, an attacker can effectively neutralize a critical layer of defense, facilitating further malicious actions such as kernel-level escalation and unauthorized access to sensitive data (e.g., token theft) [1] [6].
Proof-of-Concept and Availability
  • While the vulnerability was used in targeted attacks, strategic public disclosures have occurred, including details on the exploit chain used in the wild [7].
Affected Products and Patch Status
  • Affected Products: The vulnerability affected various Apple operating systems, including iOS, iPadOS, macOS, tvOS, and visionOS?id=CVE-2025-31201?kagi_q=CVE-2025-31201 [5].
  • Patch Status: Apple addressed the issue by removing the vulnerable code in updates released on April 16, 2025, including iOS 18.4.1 and iPadOS 18.4.1?id=CVE-2025-31201?kagi_q=CVE-2025-31201 [4]. Users are advised to ensure their devices are updated to the latest available versions to mitigate this and other security risks.

Sources

  1. JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201 - GitHub

    CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio's AudioConverterService, triggered by a malicious audio file via iMessage/SMS. ... CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudioā€™s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bā€¦

  2. Apple plugs zero-day holes used in targeted iPhone attacks (CVE ...

    CVE-2025-31201 is an issue in RPAC (Return Pointer Authentication Code), a security feature that aims to thwart return-oriented programming ...

  3. CVE-2025-31201 Detail - NVD

    An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been ... This vulnerability allows an attacker with arbitrary read and write capability to bypass Pointer Authentication. It is fixed in various Applā€¦

  4. Technical analysis of CVE-2025-31201 - Epsilon's blog

    CVE-2025-31201 affects a component called RPAC and has been patched in Apr 16 2025 (see the Apple security bulletin for iOS 18.4.1). The ...

  5. CVE-2025-31200-31201 Update - Lookout, Inc.

    CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue, both which affect Apple devices running on tvOS, visionOS, ...

  6. CVE-2025-31201 - Critical Pointer Authentication Bypass in Apple ...

    What is CVE-2025-31201? CVE-2025-31201 is a critical vulnerability that allows attackers with arbitrary memory read and write capabilities to bypass Pointer Authentication (PAC) on Appleā€™s latest operating systems. Pointer Authentication is Appleā€™s hardware-based protection against code execution atā€¦

  7. Full Disclosure: CVE-2025-31200 & CVE-2025-31201 - Seclists.org

    This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4.

  8. Apple fixes two zero-days exploited in targeted iPhone attacks

    CVE-2025-31201 is a bug in RPAC that allows attackers to bypass Pointer Authentication, an iOS security feature. Apple released emergency updates to patch this and another zero-day (CVE-2025-31200) in CoreAudio.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

šŸ“„ Download JSON Data | šŸ“” RSS Feed