Between December 2024 and April 2025, attackers exploited a zero-click iMessage vulnerability in iOS 18 to hijack iPhones, extract Secure Enclave-protected cryptographic keys, and spread laterally via Wi-Fi, all without any user interaction.
Although Apple issued a patch in April, researchers now claim the company failed to disclose the full extent of the threat, raising transparency and trust concerns.
The exploit chain was publicly disclosed earlier this month by security researcher Joseph Goydish, who initially reported the flaw to Apple Product Security in December 2024. The chain, triggered simply by receiving a specially crafted MP4 audio file via iMessage, consisted of five distinct stages: sandbox escape, heap corruption in CoreAudio, kernel privilege escalation via Wi-Fi drivers, worming via wireless mesh, and Secure Enclave key theft through CryptoTokenKit.
According to the technical write-up, the attack begins by bypassing iMessage's Blastdoor sandbox using trust-based filtering flaws. A malformed AAC audio stream embedded in the MP4 file then triggers a heap corruption in CoreAudio (CVE-2025-31200), which is chained with a malformed AMPDU metadata exploit in Apple's Wi-Fi driver stack (CVE-2025-31201) to escalate to kernel privileges. The exploit culminates in the extraction and reuse of cryptographic identities, enabling device impersonation and stealth crypto wallet theft. The wormable nature of the attack allows it to propagate across nearby devices using Apple's peer-to-peer MultipeerConnectivity framework.
The affected systems included iPhones running iOS 18.2 through 18.4.1, an estimated install base of hundreds of millions. Despite the exploit's severity, Apple patched the vulnerability quietly in April 2025 with the release of iOS 18.4.1, describing the flaws only as part of “extremely sophisticated attacks against specific targeted individuals” and acknowledging Google's Threat Analysis Group but omitting the attack vector, exploit chain details, or mention of cryptographic theft and worming behavior.
Joseph Goydish, who also submitted the report to US-CERT and Google Project Zero, claims that the patch was effectively a silent fix: while CVEs were assigned and the vulnerabilities addressed, Apple did not notify the public of the real-world risk posed by the zero-day chain. He further alleges that Apple did not credit him or acknowledge the full scope of the exploit.
Apple's April bulletin did not mention iMessage as the delivery vector, nor did it acknowledge the potential for wireless worming or Secure Enclave compromise. The language used suggested a narrow, targeted scope, which the researcher argues downplays systemic risk.
Users are strongly advised to update to iOS 18.4.1 or later, which contains patches for both vulnerabilities. For enhanced protections against zero-click exploits, it is recommended to enable ‘Lockdown Mode.'
CyberInsider has contacted Apple for a comment on Goydish's allegations, and we are still waiting for their statement.
Leave a Reply