- Apple released a new fix for iOS and iPadOS
- It solves a zero-day used in “extremely sophisticated” attacks
- This is the third zero-day addressed this year
Apple has released a new patch for iOS and iPadOS addressing a vulnerability abused in “extremely sophisticated” attacks. In a security advisory published earlier this week, the company said it recently uncovered an out-of-bounds write issue in WebKit, its cross-platform web browser engine.
WebKit is used by Apple’s browser, Safari, as well as other apps and browsers on macOS, iOS, Linux, and Windows.
The vulnerability is tracked as CVE-2025-24201, and can be used to break out of the Web Content sandbox through custom-built web content. It is yet to be assigned a severity score.
ConnectWise RAT
Apparently, the vulnerability was fixed in iOS 17.2, but can still be exploited in older models: “This is a supplementary fix for an attack that was blocked in iOS 17.2,” Apple said in the advisory. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
The bug was fixed with improved checks, thus preventing unauthorized actions. The first clean versions are iOS 18.3.2., iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. According to CyberInsider, the patch applies to a broad range of Apple devices such as iPhones (XS and later), iPads (Pro, Air, mini, and standard models from the 3rd generation onward), and macOS Sequoia-powered devices.
It’s Apple standard practice to withhold details about the vulnerability until the majority of endpoints have been patched. Therefore, we don’t know who the threat actors of this “extremely sophisticated” attack are, or who the victims were.
BleepingComputer reports that this is the third zero-day vulnerability Apple fixed this year, after the January CVE-2025-24085, and February CVE-2025-24200. Last year, the company addressed six zero-day vulnerabilities in total.
Via BleepingComputer
