Apple has launched emergency updates to patch one other zero-day vulnerability that was exploited in an “extraordinarily refined assault.”
Tracked as CVE-2025-43300, this security flaw is brought on by an out-of-bounds write weak spot found by Apple security researchers within the Picture I/O framework, which permits functions to learn and write most picture file codecs.
An out-of-bounds write happens when attackers efficiently exploit such vulnerabilities by supplying enter to a program, inflicting it to put in writing knowledge exterior the allotted reminiscence buffer, which might result in this system crashing, corrupting knowledge, or, within the worst-case state of affairs, permitting distant code execution.
“Apple is conscious of a report that this challenge might have been exploited in an especially refined assault towards particular focused people,” the corporate revealed in security advisories issued on Wednesday.
“An out-of-bounds write challenge was addressed with improved bounds checking. Processing a malicious picture file might end in reminiscence corruption.”
Apple has addressed this challenge with improved bounds checking to forestall exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The entire checklist of units impacted by this zero-day vulnerability is in depth, because the bug impacts each older and newer fashions, together with:
- iPhone XS and later,
- iPad Professional 13-inch, iPad Professional 12.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad seventh technology and later, and iPad mini fifth technology and later, iPad Professional 12.9-inch 2nd technology, iPad Professional 10.5-inch, and iPad sixth technology,
- and Macs working macOS Sequoia, Sonoma, and Ventura.
The corporate has but to attribute the invention to one among its researchers and has not but printed particulars concerning the assaults it described as “extraordinarily refined.”
Whereas this flaw is probably going solely exploited in extremely focused assaults, it’s strongly suggested to put in at the moment’s security updates promptly to forestall any potential ongoing assaults.
With this vulnerability, Apple has mounted a complete of six zero-days exploited within the wild for the reason that begin of the 12 months, the primary in January (CVE-2025-24085), the second in February (CVE-2025-24200), a 3rd in March (CVE-2025-24201), and two extra in April (CVE-2025-31200 and CVE-2025-31201).
In 2024, the corporate has patched six different actively exploited zero-days: one in January, two in March, a fourth in Could, and two others in November.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
