Full Disclosure mailing list archives
Re: [FD] Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft
From: josephgoyd via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 02 Oct 2025 21:42:10 +0000
Updated repo location: https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201 Working exploit: https://www.dropbox.com/scl/fi/oerpnhq1ui3xfswsszfh2/Audio-clip.amr?rlkey=7n54m1o84poezyipxvd2f9slx&st=b1tkonvr&dl=0 On Mon, Jun 9, 2025 at 10:48 PM, josephgoyd via Fulldisclosure <[fulldisclosure () seclists org](mailto:On Mon, Jun 9, 2025 at 10:48 PM, josephgoyd via Fulldisclosure <<a href=)> wrote:
Hello Full Disclosure, This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor. Apple issued a silent fix in iOS 18.4.1 (April 2025) without public acknowledgment or credit. This post establishes authorship, ensures technical transparency, and invites peer review. It is published to resist institutional suppression and promote user awareness. Summary: - CVEs: CVE-2025-31200 & CVE-2025-31201 - Affected Devices: iPhones running iOS 18.2 through iOS 18.4 - Exploitable at Discovery: Yes (active zero-day on iOS 18.2 at time of report) - Trigger: Zero-click MP4 with AAC audio sent via iMessage - Exploit Chain: Blastdoor trust bypass → CoreAudio heap corruption → PAC bypass → Secure Enclave key theft → wormable peer injection - Impact: Full device compromise, crypto key theft, identity hijacking, peer-to-peer propagation - Patched: iOS 18.4.1 (quiet release) Technical Overview: Apple’s trust model allowed audio messages from known iMessage senders to bypass Blastdoor sandboxing. A crafted MP4 file with AAC encoding triggered heap corruption in CoreAudio (CVE-2025-31200), leading to RCE. This was chained with a malformed AMPDU metadata exploit (CVE-2025-31201) that bypassed Pointer Authentication (PAC), enabling kernel-level control. The exploit chain facilitated: - Extraction of Secure Enclave–protected keys via CryptoTokenKit - Forgery of Apple identity sessions - Silent crypto wallet draining - Peer injection and lateral device propagation via MultipeerConnectivity Context & Urgency: This disclosure parallels recent real-world incidents such as the Oil Engineering crypto theft, where enclave misuse and identity spoofing led to material loss. With escalating social engineering threats and trust-channel abuse in mobile ecosystems, this case illustrates systemic risk. Disclosure Timeline: - Dec 20, 2024 — Live zero-day discovered on iOS 18.2 and reported to Apple (Report ID: OE19648805943313) - Jan 21, 2025 — Escalated to US-CERT / CISA (Tracking ID: VRF#25-01-MPVDT) - Apr 11, 2025 — Full exploit chain submitted to Google Project Zero - Apr 16, 2025 — Quiet patch issued in iOS 18.4.1 - Jun 6, 2025 — Public full disclosure CVEs Assigned: - CVE-2025-31200 — Heap corruption in CoreAudio AAC decoder - CVE-2025-31201 — Kernel escalation via malformed AMPDU metadata (PAC bypass) Write-Up and Artifacts: https://weareapartyof1.substack.com/p/the-crypto-heist-apple-kept-quiet Validation: - Reproducible on iOS 18.2 and iOS 18.4 - Exploit artifacts verified by independent researchers - No active payloads or binaries distributed - Logs, call traces, and affected APIs fully documented Call for Collaboration: Researchers are encouraged to reproduce the trust bypass conditions, verify CryptoTokenKit key exposure, and evaluate Secure Enclave leakage vectors. I welcome validation, feedback, and partnership on wider threat modeling. Final Note: This disclosure creates a permanent public record of suppressed vulnerability research. Apple quietly fixed the issue. But they never told you. This record stands for those who weren’t informed, warned, or credited. Joseph Goydish II _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Re: [FD] Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft josephgoyd via Fulldisclosure (Oct 02)