Apple addressed a zero-day vulnerability, tracked as CVE-2025-24201, that has been exploited in “extremely sophisticated” cyber attacks.
Apple has released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24201, in the WebKit cross-platform web browser engine.
The vulnerability is an out-of-bounds write issue that was exploited in “extremely sophisticated” attacks.
An attacker can exploit the vulnerability using maliciously crafted web content to escape the Web Content sandbox. Apple released this fix as an additional measure after blocking a similar attack in iOS 17.2.
“Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.)” reads the advisory published by the company.
The company addressed this vulnerability with improved checks. Apple released iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1 to address the zero-day.
The flaw impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Macs running macOS Sequoia, and Apple Vision Pro.
Apple did not disclose details about the attacks or attribute them to any threat actor.
CVE-2025-24201 is the third zero-day since the start of the year. Below are the other flaws the company has fixed:
- January 2025 – CVE-2025-24085 – The vulnerability is a privilege escalation vulnerability that impacts the Core Media framework.
- February 2025 – CVE-2025-24200 – An attacker could have exploited the vulnerability to disable the USB Restricted Mode “on a locked device.” Apple’s USB Restricted Mode is a security feature introduced in iOS 11.4.1 to protect devices from unauthorized access via the Lightning port.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zero-day)
 
					