9.8 CVE-2025-31201

CISA Kev Catalog Exploit

This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
https://nvd.nist.gov/vuln/detail/CVE-2025-31201

References

134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit

https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/... Exploit
https://github.com/cisagov/vulnrichment/issues/200 Issue Tracking
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-20... US Government Resource

af854a3a-2127-422b-91ae-364da2661108 Exploit

http://seclists.org/fulldisclosure/2025/Apr/26 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2025/Jun/14 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/0 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/3 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/4 Mailing List Third Party Advisory

product-security@apple.com Exploit

https://support.apple.com/en-us/122282 Release Notes Vendor Advisory
https://support.apple.com/en-us/122400 Release Notes Vendor Advisory
https://support.apple.com/en-us/122401 Release Notes Vendor Advisory
https://support.apple.com/en-us/122402 Release Notes Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:apple:macos::::::::		< 15.4.1
Configuration 2
cpe:2.3:o:apple:tvos::::::::		< 18.4.1
Configuration 3
cpe:2.3:o:apple:visionos::::::::		< 2.4.1
Configuration 4
cpe:2.3:o:apple:ipados::::::::		< 18.4.1
Configuration 5
cpe:2.3:o:apple:iphone_os::::::::		< 18.4.1

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/...

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
1	Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user [Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions [Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.	High
180	Exploiting Incorrectly Configured Access Control Security Levels An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user. [Identify weak points in access control configurations] The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured. [Access the function or data bypassing the access control] The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.	Medium

MITRE

Techniques

id	description
T1574.010	Hijack Execution Flow: ServicesFile Permissions Weakness
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1018	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee