CVE-2025-31200-31201 Update
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:
- Set the default OS Out of Date policy to enforce a minimum iOS version of 18.4 on all devices.
- Choose whether to immediately warn or block non-compliance devices from access work apps and data until their OS is updated.
- If your risk policies allow for a grace period, set the policy to escalate in severity and limitation to the user for a short period of time that aligns with your policies.
Overview
CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue, both which affect Apple devices running on tvOS, visionOS, iOS, iPadOS, and macOS. There has been evidence of active exploitation of these CVEs. For CVE-2025-31200, a successful exploit could allow malicious code execution, specifically when processing an audio stream in a maliciously crafted media file. This issue was addressed with improved bounds checks. For CVE-2025-31201, a successful exploit could allow an attacker to bypass Pointer Authentication; a security feature that helps protect the integrity of pointers in memory. This issue was addressed by removing the vulnerable code. Both issues are fixed in tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1, iPadOS 18.4.1, and macOS Sequoia 15.4.1.
United States government organizations are required to have all vulnerable devices patched by May 8, 2025. While CISA’s requirement is only for US government organizations, their guidance should be a source of information for enterprise organizations, as well.
Lookout Analysis
Regardless of who builds software, it is rarely perfect. Vulnerabilities are common in the mobile ecosystem, across both hardware and software, just like they are for laptops, desktops, and any other technology. Apple has the advantage of building and maintaining both its hardware and software products, which reduces the variables that could lead to exploitable code. However, this doesn’t mean that Apple devices are impenetrable.
This incident, along with similar occurrences, demonstrates that despite the significant efforts invested in creating exploitation mitigations and conducting code audits, memory corruption vulnerabilities continue to be widespread and exploitable in practical scenarios. Without visibility into vulnerable devices across your mobile fleet, your organization and its data could be exposed to threats like this. To combat these problems, security teams should leverage mobile EDR to integrate mobile device and app vulnerability data into their SIEM, SOAR, or XDR solution.
Authors
Lookout
Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.
