Apple issues emergency update for ‘extremely sophisticated’ zero-day exploitation

Apple has released an emergency update to address a zero-day vulnerability affecting many of its iPhones, iPads, Apple Vision Pro, and Mac products.

The bug, designated CVE-2025-24201, is an out-of-bounds write vulnerability in WebKit that can be leveraged to break out of the Web Content sandbox simply by directing the user to maliciously crafted web content. WebKit is Apple’s cross-platform web browser engine used by Apple's own Safari web browser and many other apps and web browsers that run on macOS, iOS, Linux, and Windows.

Apple has advised that it is aware of a report that CVE-2025-24201 may have been exploited in an ‘extremely sophisticated’ attack against specific, targeted individuals on versions before iOS 17.2, however, the company has not provided any further details.

According to Apple CVE-2025-24201 was fixed in iOS 17.2 which was released in December 2023. The new updates are supplementary and include improved checks to prevent unauthorized actions in:

• iOS 18.3.2
• iPadOS 18.3.2
• macOS Sequoia 15.3.2
• visionOS 2.3.2
• Safari 18.3.1

Source: Bleeping Computer

Analysis

Over the years, Apple's WebKit engine has been the focal point of several critical vulnerabilities, some of which have been actively exploited as zero-day attacks. Notable instances include:

• CVE-2023-23529 (February 2023): A type confusion issue in WebKit that allowed malicious web content to execute arbitrary code on affected devices. This vulnerability was actively exploited in the wild, prompting Apple to release emergency security updates for iOS, iPadOS, macOS, and Safari.
• CVE-2023-28204 and CVE-2023-32373 (May 2023): These vulnerabilities involved WebKit's handling of specially crafted web content, leading to potential sensitive information disclosure and arbitrary code execution. Both were actively exploited, resulting in rapid security responses from Apple to mitigate the threats.
• CVE-2023-32409 (May 2023): This flaw allowed remote attackers to break out of the Web Content sandbox, posing significant security risks. Reports indicate active exploitation, underscoring the critical nature of timely security updates.

Historically, state-sponsored actors have leveraged zero-day vulnerabilities in Apple products to infiltrate the devices of targeted individuals. A notable instance is the FORCEDENTRY exploit, allegedly developed by the NSO Group, which enabled the deployment of Pegasus spyware on iPhones.

This exploit circumvented Apple's "BlastDoor" security mechanism, allowing attackers to compromise devices without user interaction. The FORCEDENTRY vulnerability was discovered by Citizen Lab, a research group renowned for uncovering digital espionage campaigns against civil society.

Citizen Lab's investigations have repeatedly revealed the use of Apple zero-click exploits by state actors to monitor activists, journalists, and political figures. Thus, it’s possible the report Apple cited regarding an ‘extremely sophisticated’ attack leveraging CVE-2025-24201 was the result of a recent Citizen Lab investigation.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Apple’s operating systems. Field Effect MDR users are automatically notified if a vulnerable version of Apple software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with Apple’s advisory.

Related Articles

• Apple patches first iOS zero-day vulnerability of 2025
• Apple issues emergency patch for RCE and CSS zero-days
• Apple fixes flaw that dictates passwords out loud