Share
## https://sploitus.com/exploit?id=9B80FC54-2F2F-5D0D-8E3C-68E965529B33
# 8. CVE-2025-31200/31201 - iOS Zero-Click iMessage Exploit Chain
## Classification
- **Category:** 0-Click Remote Code Execution + Secure Enclave Key Theft
- **CVEs:** CVE-2025-31200, CVE-2025-31201
- **Discovered:** December 20, 2024
- **Public Disclosure:** October 2, 2025 (Full Disclosure / seclists.org)
- **Affected:** iOS 18.2 through iOS 18.4
- **Patched:** iOS 18.4.1 (silent fix, no credit given)
- **Working Exploit Location:** Dropbox (Audio-clip.amr)
## The Exploit Chain
### Trigger
A **zero-click MP4 with AAC audio** sent via iMessage. The receiver does not need to interact -- just receiving the message triggers the exploit.
### Chain Steps
1. **Blastdoor Trust Bypass** -- Apple's trust model allowed audio messages from known senders to bypass Blastdoor sandboxing
2. **CoreAudio Heap Corruption** (CVE-2025-31200) -- crafted AAC encoding in the MP4 triggers heap corruption in CoreAudio
3. **PAC Bypass** (CVE-2025-31201) -- malformed AMPDU metadata bypasses Pointer Authentication, enabling kernel-level control
4. **Secure Enclave Key Theft** -- extraction of Secure Enclave-protected keys via `CryptoTokenKit`
5. **Wormable Propagation** -- lateral device infection via `MultipeerConnectivity`
### Capabilities
- Extract Secure Enclave-protected keys
- Forge Apple identity sessions
- Silent crypto wallet draining
- Peer-to-peer wormable propagation
- Full device compromise
## The Controversy
- **Responsible disclosure** was suppressed by Apple
- Researcher submitted report Dec 20, 2024 (Report ID: OE19648805943313)
- Escalated to US-CERT/CISA Jan 2025 (Tracking ID: VRF#25-01-MPVDT)
- Full exploit chain submitted to Google Project Zero Apr 2025
- **Apple issued silent fix** in iOS 18.4.1 (April 2025) **without public acknowledgment or credit**
- Researcher went public in October 2025
## Where to Find
- **Exploit artifact**: Dropbox (`Audio-clip.amr`) -- the actual malicious file
- **Write-up**: `weareapartyof1.substack.com` -- "The Crypto Heist Apple Kept Quiet"
- **Full disclosure**: seclists.org fulldisclosure
- **GitHub repo**: `JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201`
## Significance
This is one of the most severe iOS exploit chains ever publicly documented:
- **No user interaction** required
- **Secure Enclave** compromise (hardware-level security)
- **Wormable** -- can spread device-to-device
- **Crypto wallet theft** -- financial motivation
- Apple's response (silent patch, no credit) raises transparency concerns