Apple fixes two zero-days exploited in targeted iPhone attacks

Apple released emergency security updates to patch two zero-day vulnerabilities that were used in an "extremely sophisticated attack" against specific targets' iPhones. The two vulnerabilities are in CoreAudio (CVE-2025-31200) and RPAC (CVE-2025-31201), with both bugs impacting iOS, macOS, tvOS, iPadOS, and visionOS. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS," reads an Apple security bulletin released today. The CVE-2025-31200 flaw in CoreAudio was discovered by Apple and the Google Threat Analysis team. It can be exploited by processing an audio stream in a maliciously crafted media file to execute remote code on the device. The company also fixed CVE-2025-31201, which Apple discovered. It is a bug in RPAC that allows attackers with read or write access to bypass Pointer Authentication (PAC), an iOS security feature that helps protect against memory vulnerabilities. Apple h ... Read full article.