Associated Vulnerability
Title:Apple iOS和Apple iPadOS 安全漏洞 (CVE-2025-31200)Description:A memory corruption issue was addressed with improved bounds checking. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1, watchOS 11.5. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1.
Description
CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio’s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bypassed Blastdoor, enabled kernel escalation (CVE-2025-31201), and allowed token theft until patched in iOS 18.4.1 (Apr 16, 2025).
Readme
# CVE-2025-31200 & CVE-2025-31201 | iMessage Zero-Click RCE Chain
Public disclosure of two linked vulnerabilities in Apple's iOS 18.x:
- **CVE-2025-31200** — Heap corruption in CoreAudio’s `AudioConverterService`, triggered by a malicious audio file delivered via iMessage. Zero-click, no user interaction required.
- **CVE-2025-31201** — Pointer Authentication (PAC) bypass in the RPAC path, enabling reliable kernel exploitation once arbitrary R/W is achieved.
---
## Disclosure & Patch Timeline
- **Initial Report Date:** January 21, 2025
- **Reported To:** Apple & US-CERT (Tracking ID: VRF#25-01-MPVDT)
- **Patched By Apple:** Silently resolved in **iOS 18.4.1**, released **April 16, 2025**
- **CVE Assignment:** Identifiers **CVE-2025-31200** and **CVE-2025-31201** were assigned publicly due to lack of MITRE response
Due to the severity, prolonged silence from relevant stakeholders, and absence of acknowledgment post-patch, this repository is published to inform the security community and support defensive mitigation.
---
## Affected Systems
- **iOS Versions:** Zero-day until patched in **iOS 18.4.1 (April 16, 2025)**
- **Primary Vulnerable Component:** `AudioConverterService` (CoreAudio) via iMessage / SMS delivery
- **Chained Component:** RPAC / Pointer Authentication (PAC bypass, CVE-2025-31201)
- **Post-Exploitation Impact:** Wireless subsystem manipulation and CryptoTokenKit abuse (no CVE assigned)
---
## 🛡️ Disclaimer
This report is released in the interest of public safety, transparency, and to support defenders and researchers. All information is based on independent research. No offensive code is included. The author remains open to coordination with trusted parties for validation and response.
File Snapshot
[4.0K] /data/pocs/439ee258ba55a39c96e7af9e4f57d710fb2b89d9
├── [1.7K] README.md
└── [5.9K] Remote Crypto Attack Chain .md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →