Associated Vulnerability
Title:Apple iOS和Apple iPadOS 安全漏洞 (CVE-2025-31200)Description:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 18.4.1版本和Apple iPadOS 18.4.1版本存在安全漏洞,该漏洞源于处理恶意媒体文件时边界检查不足,可能导致代码执行。
Description
CVE-2025-31200 is a zero-day, zero-click RCE in iOS CoreAudio’s AudioConverterService, triggered by a malicious audio file via iMessage/SMS. Exploitation bypassed Blastdoor, enabled kernel escalation (CVE-2025-31201), and allowed token theft until patched in iOS 18.4.1 (Apr 16, 2025).
Readme
# CVE-2025-31200 & CVE-2025-31201 | iMessage Zero-Click RCE Chain
Public disclosure of two linked vulnerabilities in Apple's iOS 18.x:
- **CVE-2025-31200** — Heap corruption in CoreAudio’s `AudioConverterService`, triggered by a malicious audio file delivered via iMessage. Zero-click, no user interaction required.
- **CVE-2025-31201** — Pointer Authentication (PAC) bypass in the RPAC path, enabling reliable kernel exploitation once arbitrary R/W is achieved.
---
## Disclosure & Patch Timeline
- **Initial Report Date:** January 21, 2025
- **Reported To:** Apple & US-CERT (Tracking ID: VRF#25-01-MPVDT)
- **Patched By Apple:** Silently resolved in **iOS 18.4.1**, released **April 16, 2025**
- **CVE Assignment:** Identifiers **CVE-2025-31200** and **CVE-2025-31201** were assigned publicly due to lack of MITRE response
Due to the severity, prolonged silence from relevant stakeholders, and absence of acknowledgment post-patch, this repository is published to inform the security community and support defensive mitigation.
---
## Affected Systems
- **iOS Versions:** Zero-day until patched in **iOS 18.4.1 (April 16, 2025)**
- **Primary Vulnerable Component:** `AudioConverterService` (CoreAudio) via iMessage / SMS delivery
- **Chained Component:** RPAC / Pointer Authentication (PAC bypass, CVE-2025-31201)
- **Post-Exploitation Impact:** Wireless subsystem manipulation and CryptoTokenKit abuse (no CVE assigned)
---
## 🛡️ Disclaimer
This report is released in the interest of public safety, transparency, and to support defenders and researchers. All information is based on independent research. No offensive code is included. The author remains open to coordination with trusted parties for validation and response.
File Snapshot
[4.0K] /data/pocs/439ee258ba55a39c96e7af9e4f57d710fb2b89d9
├── [1.7K] README.md
└── [5.9K] Remote Crypto Attack Chain .md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.