Pierluigi Paganini April 18, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple products and Microsoft Windows NTLM vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions of the flaws:

• CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability
• CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability
• CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability

This week Apple released out‑of‑band security updates to address two vulnerabilities, tracked as CVE-2025-31200 and CVE-2025-31201, impacting iOS, iPadOS & macOS. The company confirmed that the flaws have been exploited in a small number of “extremely sophisticated” attacks against iOS targets.

The two vulnerabilities are:

• CoreAudio (CVE-2025-31200) – The vulnerability is a memory corruption issue that was addressed with improved bounds checking. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. The company acknowledged Google’s TAG (Threat Analysis Group) for reporting this flaw.
• RPAC (CVE-2025-31201) – An attacker with read/write access could bypass Pointer Authentication on iOS. Apple confirmed it may have been exploited in highly targeted, sophisticated attacks. Apple addressed the flaw by removing the vulnerable code.

Security patches are available for the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

As usual, Apple has not shared technical details about the attacks. However, the limited, targeted nature of these attacks against iOS users suggests that commercial surveillance vendors or a nation-state actor likely exploited the flaws.

The third issue added to the KeV Catalog, tracked as CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing bug that Microsoft fixed in March.

NTLM (NT LAN Manager) is a suite of authentication protocols developed by Microsoft to authenticate users and computers in Windows environments.

“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability.” Microsoft warns.

However, Microsoft labeled the flaw CVE-2025-24054 as “Exploitation Less Likely,” but Check Point researchers reported that the flaw has been actively exploited since March 19. Attackers triggered the flaw to leak NTLM hashes or user passwords.

“Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.” states Check Point. “Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by May 8, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)