Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.
The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.
Technical details
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:
- CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
- CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.
Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.
This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.
When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.
A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.
What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.
In the past researchers have already found bypass scenarios for attackers that already have full memory control.
What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.
Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.