CVE-2025-31201

CRITICAL KEV

macOS < 15.4.1 - Pointer Authentication Bypass via Insufficient Access Control

Title source: llm

Exploitation Summary

CVE-2025-31201 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 17, 2025. EIP tracks 1 public exploit from researchers including JGoyd.

AI-analyzed exploit summary This repository provides a detailed technical analysis of an iOS zero-click exploit chain involving CVE-2025-31200 (CoreAudio heap corruption) and CVE-2025-31201 (kernel privilege escalation via AppleBCMWLAN). It includes forensic logs, attack flow, and impact analysis but does not contain functional exploit code.

Description

This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Exploits (1)

github WRITEUP 183 stars

by JGoyd · poc

https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201

View Code ZIP pw:eip

This repository provides a detailed technical analysis of an iOS zero-click exploit chain involving CVE-2025-31200 (CoreAudio heap corruption) and CVE-2025-31201 (kernel privilege escalation via AppleBCMWLAN). It includes forensic logs, attack flow, and impact analysis but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: iOS 18.4 and below

No auth needed

Prerequisites: Known sender context in iMessage · Target device running iOS 18.4 or below

MITRE ATT&CK