Overview
A pointer authentication bypass vulnerability in Apple operating systems (tvOS, visionOS, iOS, iPadOS, and macOS Sequoia) allows attackers with arbitrary read/write capabilities to bypass pointer authentication security measures. The vulnerability stems from removed vulnerable code that improperly handles pointer authentication checks. This is a privilege escalation and security boundary bypass issue affecting multiple Apple platforms. The vulnerability was disclosed on April 16, 2025. CISA has identified CVE-2025-31201 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The vulnerability exists in how Apple's operating systems implement pointer authentication code (PAC), a hardware-based security feature on ARM64 processors that signs code pointers to prevent unauthorized code execution. The affected code improperly validates pointer authentication, and while the vulnerable code was removed in later versions, the security bypass can still be achieved by attackers who have already obtained arbitrary read/write capabilities to kernel or process memory. This creates a secondary exploitation path that allows bypassing PAC security mechanisms.
The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature) , CWE-287 (Improper Authentication) andCWE-269 (Improper Access Control (Generic)) .
The vulnerability has received a CVSS v3.1 base score of 6.2 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N, indicating its medium nature.
Impact
An attacker with arbitrary read/write capabilities can bypass pointer authentication security mechanisms, leading to: (1) Code execution in privileged contexts; (2) Privilege escalation from user to kernel or between security contexts; (3) Bypassing exploit mitigations that rely on pointer authentication; (4) Complete compromise of system security boundaries; (5) Potential for jailbreaking or complete device compromise on iPhone, iPad, Apple TV, and Vision Pro devices. This is particularly severe as pointer authentication is a critical security mechanism on modern Apple Silicon and ARM processors.
Mitigation and workarounds
Apple has addressed this vulnerability through security updates released in March 2025. Users should: (1) Open Settings > General > Software Update on iOS/iPadOS devices; (2) Go to Apple TV Settings > System > Software Updates on tvOS devices; (3) Access Settings > General > About > Software Update on visionOS devices; (4) Use System Settings > General > Software Update on macOS devices. Install the latest available version of their respective operating system. The vulnerability is patched in versions released after 2025-03-03. The following versions include the necessary fixes: iOS 18.4.2 and later, iPadOS 18.4.2 and later, tvOS 18.4.2 and later, visionOS 2.4.2 and later, macOS Sequoia 15.4.2 and later.
As temporary workarounds: restrict physical device access and limit access to privileged debugging interfaces (jtag, dfu mode) as the exploit requires arbitrary read/write capabilities which typically necessitate either local code execution as a privileged process or physical hardware access., and disable usb restricted mode or require strong authentication for debugging access if using enterprise management systems, though this does not directly mitigate the pointer authentication bypass..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
