Apple fixes dangerous zero-day used in attacks against iPhones and iPads

An option to add Ambient Music buttons to the iOS 18.4 Control Center.

(Image credit: Future)

Apple released a new fix for iOS and iPadOS
It solves a zero-day used in "extremely sophisticated" attacks
This is the third zero-day addressed this year

Apple has released a new patch for iOS and iPadOS addressing a vulnerability abused in “extremely sophisticated” attacks. In a security advisory published earlier this week, the company said it recently uncovered an out-of-bounds write issue in WebKit, its cross-platform web browser engine.

WebKit is used by Apple’s browser, Safari, as well as other apps and browsers on macOS, iOS, Linux, and Windows.

The vulnerability is tracked as CVE-2025-24201, and can be used to break out of the Web Content sandbox through custom-built web content. It is yet to be assigned a severity score.

ConnectWise RAT

Apparently, the vulnerability was fixed in iOS 17.2, but can still be exploited in older models: "This is a supplementary fix for an attack that was blocked in iOS 17.2," Apple said in the advisory. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2."

The bug was fixed with improved checks, thus preventing unauthorized actions. The first clean versions are iOS 18.3.2., iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. According to CyberInsider, the patch applies to a broad range of Apple devices such as iPhones (XS and later), iPads (Pro, Air, mini, and standard models from the 3rd generation onward), and macOS Sequoia-powered devices.

It’s Apple standard practice to withhold details about the vulnerability until the majority of endpoints have been patched. Therefore, we don’t know who the threat actors of this “extremely sophisticated” attack are, or who the victims were.

BleepingComputer reports that this is the third zero-day vulnerability Apple fixed this year, after the January CVE-2025-24085, and February CVE-2025-24200. Last year, the company addressed six zero-day vulnerabilities in total.

Via BleepingComputer

Apple security alert - zero-day patched, so update your devices now
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.