CalvinBackup/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201.git synced 2026-02-12 21:03:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
24 Commits 1 Branch 0 Tags
eed0e591d475d93a166f13fc88f6cb6331a16f91
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

CVE-2025-31200 & CVE-2025-31201 iMessage Zero-Click RCE Chain

Public disclosure of two linked vulnerabilities in Apple's iOS 18.x:

  • CVE-2025-31200 — Heap corruption in CoreAudios AudioConverterService, triggered by a malicious audio file delivered via iMessage. Zero-click, no user interaction required.
  • CVE-2025-31201 — Pointer Authentication (PAC) bypass in the RPAC path, enabling reliable kernel exploitation once arbitrary R/W is achieved.

Disclosure & Patch Timeline

  • Initial Report Date: (found "in the wild") Dec 20, 2024
  • Re-Reported To: Apple & US-CERT Jan 21, 2025 (Tracking ID: VRF#25-01-MPVDT)
  • Sent to Google Research Team: April 11th, 2025
  • Patched By Apple: resolved in iOS 18.4.1, released April 16, 2025
  • CVE Assignment: Identifiers CVE-2025-31200 and CVE-2025-31201 were assigned publicly due to lack of MITRE response

Due to the severity, prolonged silence from relevant stakeholders, and absence of acknowledgment post-patch, this repository is published to inform the security community and support defensive mitigation.

Malicious Working Exploit: https://www.dropbox.com/scl/fi/oerpnhq1ui3xfswsszfh2/Audio-clip.amr?rlkey=7n54m1o84poezyipxvd2f9slx&e=1&st=b1tkonvr&dl=0

Affected Systems

  • iOS Versions: Zero-day until patched in iOS 18.4.1 (April 16, 2025)
  • Primary Vulnerable Component: AudioConverterService (CoreAudio) via iMessage / SMS delivery
  • Chained Component: RPAC / Pointer Authentication (PAC bypass, CVE-2025-31201)
  • Post-Exploitation Impact: Wireless subsystem manipulation and CryptoTokenKit abuse (no CVE assigned)

🛡️ Disclaimer

This report is released in the interest of public safety, transparency, and to support defenders and researchers. All information is based on independent research. No offensive code is included. The author remains open to coordination with trusted parties for validation and response.

Why This Matters

This zero-click chain gives attackers silent, full device control. With kernel-level access and documented keychain exfiltration, an attacker can drain crypto wallets by stealing stored keys, intercept 2FA codes and messages to take over accounts, authorize payments or transfers without prompts, and activate mic, camera, or GPS to surveil you — all without any user interaction.

In short, your phone can be turned into a stealthy vault-breaker and spy, and you may never see a warning.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
appleblastdoorcve-2025-31200cve-2025-31201imessageioszero-clickzero-day
Readme 147 KiB
Languages
Markdown 100%