Apple fixes dangerous zero-day used in attacks against iPhones and iPads

News
By published

This is the third zero-day patched this year

An option to add Ambient Music buttons to the iOS 18.4 Control Center.
(Image credit: Future)
  • Apple released a new fix for iOS and iPadOS
  • It solves a zero-day used in "extremely sophisticated" attacks
  • This is the third zero-day addressed this year

Apple has released a new patch for iOS and iPadOS addressing a vulnerability abused in “extremely sophisticated” attacks. In a security advisory published earlier this week, the company said it recently uncovered an out-of-bounds write issue in WebKit, its cross-platform web browser engine.

WebKit is used by Apple’s browser, Safari, as well as other apps and browsers on macOS, iOS, Linux, and Windows.

The vulnerability is tracked as CVE-2025-24201, and can be used to break out of the Web Content sandbox through custom-built web content. It is yet to be assigned a severity score.

ConnectWise RAT

Apparently, the vulnerability was fixed in iOS 17.2, but can still be exploited in older models: "This is a supplementary fix for an attack that was blocked in iOS 17.2," Apple said in the advisory. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2."

The bug was fixed with improved checks, thus preventing unauthorized actions. The first clean versions are iOS 18.3.2., iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. According to CyberInsider, the patch applies to a broad range of Apple devices such as iPhones (XS and later), iPads (Pro, Air, mini, and standard models from the 3rd generation onward), and macOS Sequoia-powered devices.

It’s Apple standard practice to withhold details about the vulnerability until the majority of endpoints have been patched. Therefore, we don’t know who the threat actors of this “extremely sophisticated” attack are, or who the victims were.

BleepingComputer reports that this is the third zero-day vulnerability Apple fixed this year, after the January CVE-2025-24085, and February CVE-2025-24200. Last year, the company addressed six zero-day vulnerabilities in total.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Apple Siri
Update your Apple device now: iOS 18.3.2 fixes a flaw that could be exploited by hackers
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
An iPhone with a 10:30am alarm ringing next to an Apple Watch that displays the time as 12:42pm
Apple warns "extremely sophisticated attack" hits iPhones and iPads, so update now
The Apple logo is seen with the iOS 18 operating system logo in the background on a mobile device
Apple fixes Passwords app security bug with new 18.2 update
Someone checking their credit card details online.
Apple forced to patch iOS and macOS security flaw that could have leaked your private info
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
Latest in Security
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Latest in News
Project Moohan prototype at Samsung Galaxy Unpacked, an XR goggles headset on display in a show area
Samsung's Android XR headset could avoid the Apple Vision Pro's biggest mistake, according to this leak
Rivian R1T
Big Rivian update delivers hands-off driving to rival Tesla Autopilot – and a new 'Rally' mode
Google Pixel 9 in Wintergreen showing back camera bar
The Google Pixel 10 could get a big camera boost if this new leak is legit
The Samsung Galaxy S25 Edge, close up on the dual camera system, against a marbled background
The Samsung Galaxy S25 Edge is being tipped to come with a sweet Google Gemini deal
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Diego Luna looks questioningly at the back of someone's head as Cassian Andor in the show Andor
Disney+ is making Andor free to stream on YouTube, and now you have no excuse not to watch the best Star Wars show
More about security
Dr Chase Cunningham speaking at ZTW25

The grand delusion: endpoint protection isn’t the magic pill, says Dr Zero Trust
An American flag flying outside the US Capitol building against a blue sky

Sean Plankey selected as CISA director by President Trump
Google Pixel 9 in Wintergreen showing back camera bar

The Google Pixel 10 could get a big camera boost if this new leak is legit
See more latest
Most Popular
Google Pixel 9 in Wintergreen showing back camera bar
The Google Pixel 10 could get a big camera boost if this new leak is legit
Group of businesspeople negotiating gathered in modern conference room, blurred silhouettes view, meeting behind closed glass doors. Business communication, workflow, decision-making, strategy sharing
Many workers aren't sure how much their companies are set up to help them be productive
Diego Luna looks questioningly at the back of someone's head as Cassian Andor in the show Andor
Disney+ is making Andor free to stream on YouTube, and now you have no excuse not to watch the best Star Wars show
Project Moohan prototype at Samsung Galaxy Unpacked, an XR goggles headset on display in a show area
Samsung's Android XR headset could avoid the Apple Vision Pro's biggest mistake, according to this leak
Canva
It's just a concept for now, but this RTX 5090 liquid-cooled gaming laptop is possibly the craziest thing I've seen in a while
Rivian R1T
Big Rivian update delivers hands-off driving to rival Tesla Autopilot – and a new 'Rally' mode
Matt Murdock and Kirsten McDuffie standing in a court room in Daredevil: Born Again
Daredevil: Born Again episode 3 contains another Marvel reference to Spider-Man, but it's got nothing to do with Tom Holland's Peter Parker
The Samsung Galaxy S25 Edge, close up on the dual camera system, against a marbled background
The Samsung Galaxy S25 Edge is being tipped to come with a sweet Google Gemini deal
iRobot Roomba Combo 405 Plus
7 of my favorite upgrades in the all-new Roomba robovacs – plus 2 I'm worried about
Person holding phone showing O2 logo in front of Virgin Media logo
Virgin Media O2 reveals £700m network transformation plan to boost reliability across the board