Apple has issued an urgent call for all iPhone users to update their devices immediately following the discovery and patching of two dangerous zero-day security vulnerabilities that were actively exploited in what the company described as an “extremely sophisticated attack.”
The new emergency update, iOS 18.4.1, is now available and applies to a wide range of Apple devices, including iPhones (XS and newer), iPads, Mac computers running macOS Sequoia, Apple TV devices, and even the recently launched Apple Vision Pro.
According to a security bulletin released by Apple, the company became aware of the flaws after they were used in targeted attacks against specific high-profile individuals. “This attack was against specific targeted individuals,” Apple confirmed, underscoring the seriousness of the threat.
The first vulnerability, listed as CVE-2025-31200, was discovered jointly by Apple and Google’s Threat Analysis Group. It is located within CoreAudio and allows remote code execution on a device simply by processing a malicious audio file. The second flaw, CVE-2025-31201, was found in Apple’s Remote Participant Audio Control (RPAC) framework and can be exploited to bypass an important iOS security feature known as Pointer Authentication.
Though Apple has not disclosed the exact method used in the attacks, the company’s strategy is to withhold technical details initially to give users time to update and prevent hackers from replicating the exploits. “Apple hasn’t shared any additional details regarding how these zero-day flaws were exploited in this extremely sophisticated attack,” the statement noted.
The company warned that while such vulnerabilities are often first used to target high-level individuals such as CEOs, politicians, and activists, the techniques tend to “trickle down to ordinary users eventually,” making the update critical for everyone.
Security experts have echoed Apple’s urgency, advising users not to delay in applying the patch. “Hackers love to go after people running outdated software as they’re easy targets,” one advisory said. Users are also encouraged to practise strong cyber hygiene, including avoiding suspicious links and attachments, and ignoring emails that create a sense of urgency—often classic signs of phishing scams.
This latest security patch brings Apple’s total number of zero-day fixes for 2025 to five. While that figure might raise concerns, experts say it reflects Apple’s ongoing commitment to quickly addressing threats and protecting user data. However, the responsibility ultimately rests with users to install the updates and secure their devices.
iPhone, iPad, and Mac users are advised to check their settings and install iOS 18.4.1, iPadOS, or the latest macOS update without delay to shield themselves from these known threats.