LiveActive security incident?Get immediate response
CVE Record

CVE-2025-31201: This issue was addressed by removing the vulnerable code.

This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

CriticalCVSS 9.8Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

CVE-2025-31201 is an Apple platform vulnerability that can let an attacker who already has arbitrary read and write capability bypass Pointer Authentication, a key memory-safety defense. Apple fixed it by removing vulnerable code. Business urgency is high because Apple reported targeted iOS exploitation and CISA lists it in KEV.

Executive priority

Treat as urgent patching work, especially for iOS fleets and high-risk personnel. The issue has confirmed KEV status and Apple-reported targeted exploitation, but available sources do not indicate broad mass exploitation.

Technical view

The flaw is classified as CWE-1220 and affects Apple iOS/iPadOS, macOS, tvOS, and visionOS per the source bundle. Fixed versions are iOS/iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. CVSS is 9.8. Exact affected version ranges are not provided.

Likely exposure

Organizations with Apple devices below the listed fixed releases may be exposed. The strongest exploitation evidence is for iOS targeted attacks. Exposure is most urgent for executives, journalists, administrators, developers, and other high-value users operating unpatched Apple devices.

Exploitation context

CISA KEV confirms known exploitation. Apple states it is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. The bundle also includes third-party technical discussion of an iOS attack chain, but official detail is limited.

Researcher notes

This is a defense-bypass primitive, not a complete intrusion path by itself in the source text. Apple describes the attacker prerequisite as arbitrary read and write capability. Avoid assuming exploitability across all Apple products beyond the listed fixes and KEV/Apple exploitation evidence.

Mitigation direction

  • Update iOS and iPadOS devices to 18.4.1 or later.
  • Update macOS Sequoia systems to 15.4.1 or later.
  • Update tvOS devices to 18.4.1 or later.
  • Update visionOS devices to 2.4.1 or later.
  • Prioritize high-risk and high-privilege users first.
  • Monitor Apple and CISA guidance for any revised affected-version details.

Validation and detection

  • Inventory Apple devices by OS family and version.
  • Confirm fixed versions are installed across managed fleets.
  • Identify any unmanaged Apple devices used for business access.
  • Prioritize validation for iOS devices assigned to high-risk users.
  • Check MDM compliance reports for update failures or deferrals.
  • Review security monitoring for unusual activity on previously unpatched iOS devices.
Prepared
Reviewed
Confidence
high
Sources
9

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1220: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-31201 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
8Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2025-31201Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
AppleiOS and iPadOS0Listed
ApplemacOS0Listed
AppletvOS0Listed
ApplevisionOS0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1220 · source CWE mapping

Insufficient Granularity of Access Control

Insufficient Granularity of Access Control represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.