Urgent Security Alert: CISA Warns of Actively Exploited Apple and Microsoft Vulnerabilities
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, adding three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgent need for swift patching across affected systems. These vulnerabilities, impacting Apple and Microsoft products, are already being actively exploited by malicious actors, posing a significant risk to organizations and individuals.
Apple Under Attack: CoreAudio and RPAC Flaws
Apple’s ecosystem is facing severe threats from two actively exploited vulnerabilities:
- CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability: This flaw resides within CoreAudio and can be triggered by processing a maliciously crafted audio stream. Successful exploitation could lead to remote code execution on vulnerable devices.
- CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability: This vulnerability affects RPAC and allows attackers with read or write access to bypass Pointer Authentication (PAC), a crucial iOS security feature designed to defend against memory vulnerabilities.
Both vulnerabilities affect a wide range of Apple products, including iOS, macOS, tvOS, iPadOS, and visionOS. Apple has acknowledged that the CoreAudio vulnerability may have been exploited in highly targeted attacks against specific iOS users, indicating the severity of the threat. While Apple has not disclosed specific details about the exploitation methods, the company patched both vulnerabilities in recent updates: iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1, and visionOS 2.4.1.
Microsoft’s NTLM Hash Disclosure Under Exploitation
Microsoft Windows is also under attack, with the vulnerability CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability being actively exploited. This NTLM hash disclosure spoofing bug was addressed by Microsoft in a recent Patch Tuesday update. However, Check Point researchers have observed active exploitation of this vulnerability within days of the patch release, with exploitation activity peaking between March 20 and 25, 2025.
While one IP address involved in these attacks has been linked to the Russia state-sponsored threat group APT28 (Fancy Bear), conclusive attribution remains unconfirmed. Cybersecurity researchers have reported that a campaign exploiting CVE-2025-24054 targeted government and private institutions in Poland and Romania around March 20-21, 2025. Attackers used malicious spam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.
CISA’s Directive: Immediate Action Required
In response to the active exploitation of these vulnerabilities, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by May 8, 2025, to secure their networks. This directive underscores the critical need for all organizations, not just government agencies, to prioritize patching these vulnerabilities to mitigate the risk of compromise.
Related Posts:
About The Author
