Apple is aware of reports that CVE-2025-31200 and CVE-2025-31201 may have been exploited in extremely sophisticated attacks against specific targeted individuals on iOS.

Introduction

Apple has released security updates to address two exploited zero-day vulnerabilities in multiple Apple products.

Additionally, on 29 April 2025 security researchers published technical details for the 'AirBorne' vulnerability chain in Apple AirPlay. Three vulnerabilities from the AirBorne chain have been added to this cyber alert. If CVE-2025-24252, CVE-2025-24132, and CVE-2025-24206 are chained together, the researchers were reportedly able to achieve 'zero-click' remote code execution.

Technical details available for AirPlay 'AirBorne' RCE vulnerability chain

Security researchers have published technical details for the 'AirBorne' vulnerability chain in Apple AirPlay. Attackers may use these technical details to construct a proof-of-concept exploit. The NHS England National CSOC assesses exploitation as more likely.

Vulnerability details

CVE-2025-31200 is an 'out-of-bounds write' vulnerability with a CVSSv3 score of 7.5. If exploited, an unauthorised attacker could process an audio stream in a maliciously crafted media file to achieve code execution on the device. This vulnerability is under exploitation.
CVE-2025-31201 is an 'insufficient information' vulnerability with a CVSSv3 score of 6.8. If exploited, an attacker with arbitrary read and write capability could bypass pointer authentication (PAC). This vulnerability is under exploitation.
CVE-2025-24252 is a 'use-after-free' vulnerability in AirPlay with a CVSSv3 score of 9.8. If exploited an attacker on the local network could corrupt process memory. This vulnerability is part of the 'AirBorne' exploit chain.
CVE-2025-24132 is a vulnerability in the AirPlay software development kit (SDK). If exploited an attacker on the local network could cause an unexpected app termination. This vulnerability is part of the 'AirBorne' exploit chain.
CVE-2025-24206 is an 'incorrect authorisation' vulnerability in AirPlay with a CVSSv3 score of 7.7. If exploited an attacker on the local network could bypass authentication policy. This vulnerability is part of the 'AirBorne' exploit chain.

Threat updates

Date	Update
30 Apr 2025	Added details for 'AirBorne' vulnerability chain
30 Apr 2025	Added macOS Sonoma and macOS Ventura to Affected Platforms

Remediation advice

Affected organisations are encouraged to review Apple security releases and apply the relevant updates.

Remediation steps

Type	Step
Patch	iOS 18.4.1 and iPadOS 18.4.1 \| 122282 https://support.apple.com/en-us/122282
Patch	macOS Sequoia 15.4.1 \| 122400 https://support.apple.com/en-us/122400
Patch	macOS Sonoma 14.7.5 \| 122374 https://support.apple.com/en-us/122374
Patch	macOS Ventura 13.7.5 \| 122375 https://support.apple.com/en-us/122375
Patch	tvOS 18.4.1 \| 122401 https://support.apple.com/en-us/122401
Patch	visionOS 2.4.1 \| 122402 https://support.apple.com/en-us/122402

Definitive source of threat updates

https://support.apple.com/en-us/100100

CVE Vulnerabilities

Status Published

CVE-2025-31200

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Status Published

CVE-2025-31201

This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Status Published

CVE-2025-24252

A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory.

Status Published

CVe-2025-24206

An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy.

Status Reserved

CVE-2025-24132

Last edited: 30 April 2025 11:59 am