Apple has rolled out emergency updates to patch two serious security flaws that were actively being exploited in highly targeted attacks on iPhones and other Apple devices. The fixes, released on April 16 as part of iOS 18.4.1 and macOS Sequoia 15.4.1, address zero-day vulnerabilities.
Apple said these bugs were used in an “extremely sophisticated attack against specific targeted individuals on iOS.”
Inside the iOS and macOS vulnerabilities
The two bugs, tracked as CVE-2025-31200 and CVE-2025-31201, affect Apple’s software’s CoreAudio and RPAC components.
- CVE-2025-31200 (CoreAudio): This bug allows hackers to take control of a device simply by tricking it into processing a malicious media file. Apple credited the discovery to its internal team and researchers from Google’s Threat Analysis Group — a unit known for tracking advanced cyberattacks, often linked to government actors.
- CVE-2025-31201 (RPAC): This flaw affects a security mechanism called Pointer Authentication, designed to prevent memory attacks. Hackers who have read and write access to a device could bypass this protection and hijack the system. Apple found and fixed this bug internally by removing the vulnerable code.
Which Apple devices were affected?
While Apple didn’t say who was behind the attacks or how many people were affected, the language the company used — “specific targeted individuals” — strongly suggests that these were not random hacks, but deliberate and precise operations. That, combined with Google’s involvement, has raised speculation about possible ties to government-backed surveillance campaigns.
Devices affected include:
- iPhones from iPhone XS and newer.
- iPads from 7th generation and newer.
- Macs running macOS Sequoia.
- All models of Apple TV HD and Apple TV 4K.
- Apple Vision Pro headset.
A growing list of zero-days
These latest fixes bring the number of zero-days patched by Apple this year to five. Earlier vulnerabilities were addressed in January, February, and March. Apple typically keeps details about ongoing exploits under wraps, and this case is no different. The company hasn’t shared exactly how the bugs were used.
