CISA Alerts on Active Exploitation of Multiple Apple 0-Day Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to Apple users and organizations following the discovery and active exploitation of multiple zero-day vulnerabilities in Apple’s operating systems.

These vulnerabilities, affecting a wide range of Apple devices, have been leveraged in sophisticated attacks targeting both individuals and enterprises, raising significant concerns across the cybersecurity community.

Multiple Zero-Days Under Active Attack

In recent months, Apple has patched at least five zero-day vulnerabilities, with several being actively exploited in the wild.

The most recent advisories address two critical flaws—CVE-2025-31200 and CVE-2025-31201—impacting iOS, macOS, iPadOS, tvOS, and visionOS.

These vulnerabilities were reportedly used in “extremely sophisticated attacks” against targeted individuals, according to Apple’s own security bulletins.

• CVE-2025-31200 is a memory corruption issue in the Core Audio framework. Attackers can exploit this flaw by tricking users into processing maliciously crafted audio files, potentially allowing remote code execution on the device.
• CVE-2025-31201 resides in the RPAC component and allows attackers with read or write access to bypass Pointer Authentication, a critical security feature designed to protect against memory attacks.

These vulnerabilities were patched in the latest security updates—iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.

Apple credited its internal teams and Google’s Threat Analysis Group for the discovery and reporting of these flaws.

CISA’s Urgent Advisory

CISA’s warning is not limited to these two vulnerabilities.

Earlier this year, the agency flagged CVE-2025-24200, a critical flaw in Apple’s USB Restricted Mode. This zero-day vulnerability allows attackers with physical access to bypass security measures on locked devices, exposing sensitive user data to unauthorized extraction.

The flaw, classified as an authorization bypass (CWE-863), undermines one of Apple’s key defenses against forensic and hacking tools.

Additionally, CVE-2025-24201, a WebKit zero-day, was found to enable attackers to escape the browser sandbox via malicious web content, further expanding the attack surface for Apple users.

Devices at Risk

The list of impacted devices is extensive and includes:

• iPhone XS and later
• iPad Pro (various models, 3rd generation and later)
• iPad Air 3rd generation and later
• iPad 7th generation and later
• iPad mini 5th generation and later
• macOS Sequoia
• Apple TV HD and Apple TV 4K (all models)
• Apple Vision Pro

Risk Factor Table

Mitigation and Recommendations

CISA and Apple urge all users and organizations to immediately apply the latest security updates to affected devices.

While some of these vulnerabilities have been used in highly targeted attacks, the risk of broader exploitation remains high if systems are left unpatched.

Organizations should also review device access controls and monitor for signs of compromise, especially if physical access to devices cannot be fully controlled.

The rapid emergence and exploitation of these zero-days highlight the evolving threat landscape and the necessity for timely patch management and robust security practices.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates