iOS 18.4.1—Apple Issues Update Now Warning To All iPhone Users

Update Apr. 17: This article, originally published on Apr. 16, has been updated to include details of the type of attacks used to target iPhone users, more expert analysis, and other updates issued alongside iOS 18.4.1.

Apple has released iOS 18.4.1 and it comes with a warning to update your iPhone now. That’s because iOS 18.4.1 fixes two iPhone security flaws, both of which are being used in real-life attacks.

Apple doesn’t provide a lot of detail about what’s fixed in iOS 18.4.1, because the iPhone maker wants to give people as much time to update before more attackers can get hold of the details.

The first flaw fixed in iOS 18.4.1 is an issue in the iPhone’s CoreAudio tracked as CVE-2025-31200 and reported by Apple and the Google Threat Analysis Group. Processing an audio stream in a maliciously crafted media file may result in code execution, Apple warned on its support page.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS,” the iPhone maker added.

The second bug patched in iOS 18.4.1 is a flaw in RPAC tracked as CVE-2025-31201 and reported by Apple. The vulnerability could allow an attacker with arbitrary read and write capability to bypass Pointer Authentication, Apple said, adding that the issue may also have been exploited in an “extremely sophisticated attack.”

The iOS 18.4.1 update comes just two weeks after the release of iOS 18.4, which itself patched 62 vulnerabilities, highlighting the importance of the latest upgrade.

In March, Apple again addressed an already-exploited flaw in the iOS 18.3.2 update.

What Kind Of Attack Were The iOS 18.4.1 Flaws Used For?

The fact that iOS 18.4.1 was issued so rapidly and between updates and the nature of the vulnerabilities indicates that the “targeted attacks” Apple refers to could have involved spyware. The first flaw in Core Media was reported by Google’s Threat Analysis Group which often discovers flaws of this type.

Meanwhile, cybersecurity expert Paul Ducklin explicitly says the iOS 18.4.1 patches address vulnerabilities used to plant spyware. He calls the Core Audio flaw a “Podcast of death.”

“I exaggerate for effect, but update your iPhone anyway — double zero-day used in spyware attack. A rogue audio file could pwn Apple iOS. Also applies to the rest of the Apple ecosystem,” Ducklin writes in a post on X, formerly Twitter.

Spyware attacks are bad because they allow adversaries access to everything on your device, including video, audio and even encrypted apps such as WhatsApp and Signal. This is because once your phone is taken over with spyware, attackers can see everything on your screen.

The good news is, spyware is very targeted, so the flaws fixed in iOS 18.4.1 were probably used in a small number of attacks against a specific subset of iPhone users.

If you suspect you have been targeted with spyware, one way of temporarily disrupting it is to turn your device on and off again. But the malware is very difficult to get rid of and you are usually better to stop using your device altogether.

Zero-Day Flaws Used In Attacks

The flaws fixed in iOS 18.4.1 are called zero-day issues because Apple had no time to fix them before they were out being used in the wild. Apple’s iOS 18.4.1 update underscores “the ongoing importance of rapid patching,” with two now fixed issues that may have already been exploited, says Sylvain Cortes, VP strategy, Hackuity.

The zero-day vulnerabilities were found before developers were made aware and could patch them. This means they pose a greater risk, Cortes says.

The Core Audio framework issue fixed in iOS 18.4.1 has “a high CVSS score of 7.5,” while the patch in RPAC tracked as CVE-2025-31201 has a CVE score of 6.8, but is still a concern, Cortes says. “An exploit of this zero day could be used by an attacker with an arbitrary read and write capability to bypass pointer authentication, a method which normally works by using codes to detect and guard against unexpected changes to pointers in device memory.”

Pointer Authentication is a security mechanism designed to resist memory disclosure attacks, says Adam Boynton, senior security strategy manager EMEIA at Jamf. “Bypassing it gives an attacker the opportunity to launch attacks and access to parts of the device’s memory.

If an attacker successfully bypass pointer authentication they could easily launch a targeted attack with serious consequences. “For individual users and enterprise environments alike, prompt installation of iOS 18.4.1 is not just recommended, it’s essential,” Cortes warns.

Other Updates Issued Alongside iOS 18.4.1

Alongside iOS and iPadOS 18.4.1, Apple also released macOS Sequoia 15.4.1 for Macs, tvOS 18.4.1 for its TV box and visionOS 2.4.1 for the Apple Vision Pro headset, all addressing the two already-exploited flaws. While these operating systems are vulnerable to the attack, Apple outlined that the people targeted in real life were using iOS, the iPhone software.

Apple also issued watchOS 11.4 fixing a hefty list of Apple Watch flaws, and Safari 18.4 for its browser, patching a number of vulnerabilities in WebKit, the engine that underpins it. Xcode 16.3 is available for macOS Sequoia 15.2 and later, fixing two security issues.

Why You Should Update Now To iOS 18.4.1

Apple’s iOS 18.4.1 is an emergency security update that comes in between major point upgrades, ahead of iOS 18.5’s arrival in May. There is no iOS 17 update for older iPhones, perhaps because the operating system is not affected by this flaw. However, Apple is no longer issuing security updates to iOS 17 users that are able to upgrade to iOS 18.

The flaws have been fixed in a smaller iPhone update — and there is an indication that they’re being actively exploited. This highlights the importance of this update, says independent security researcher Sean Wright. “As a result I would recommend people update as soon as possible,” he says, adding that there “is no need to panic in most cases.”

With the security fixes in iOS 18.4.1 addressing two zero-day vulnerabilities, all users should “immediately update their Apple devices,” says Boynton.

Despite the urgency of the iOS 18.4.1 upgrade, Apple said the flaws fixed in iOS 18.4.1 were used in targeted attacks. These are likely against journalists, dissidents, government officials and businesses in certain sectors. Yet if attackers get hold of the details, they can use the flaws more widely.

The fact that the two vulnerabilities patched in iOS 18.4.1 are “extremely sophisticated to exploit” explains why Apple has only observed attacks against specific, targeted individuals, Boynton says. “However, the limited scope of these attacks should not deter users from updating their devices promptly.”

Apple’s iOS 18.4.1 also addresses several bugs, including one that prevents wireless CarPlay connection in certain vehicles.

The iOS 18.4.1 update is available for the iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

So what are you waiting for? Go to your iPhone Settings > General > Software Update and download and install iOS 18.4.1 now.