Apple patches first iOS zero-day vulnerability of 2025

Apple has released several updates to address vulnerabilities impacting several mobile and desktop products, including an actively exploited zero-day vulnerability in iOS. The flaw, designated CVE-2025-24085, is a use-after-free vulnerability in iOS’s CoreMedia component that could allow threat actors to take control of vulnerable devices by using a fake app that pretends to play media files.  

Apple confirmed that it is aware of reports that CVE-2025-24085 has been actively exploited in 17.2 and earlier versions of iOS. The company also advised that the vulnerability was fixed by improving memory management but offered no further details regarding its exploitation.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Along with CVE-2025-24085, Apple also issued patches for 28 additional vulnerabilities found in iOS and 60 vulnerabilities in macOS Sequoia that, when exploited could lead to various outcomes including authentication bypass, denial-of-service (DoS), arbitrary code execution, privilege escalation, user fingerprinting, system file modification, spoofing, information exposure, and command injection.

The updates also addressed seven vulnerabilities in Apple’s Safar browser that could lead to browser extension authentication bypass, user interface spoofing, address bar spoofing, user fingerprinting, DoS, and unexpected process crashes.

Apple is advising impacted users to update their devices as soon as possible.

Source: SecurityWeek

Analysis

CoreMedia is a foundational framework that ensures Apple devices deliver high-performance multimedia experiences. Its efficient processing is critical to maintaining the smooth, reliable playback and creation of media content on iPhones, iPads, Macs, and Apple Watches.

Apple hasn’t offered any details regarding the exploitation of the flaw. However, the exploitation of previous CoreMedia vulnerabilities has required minimal user interaction—such as playing a malicious video or opening a link. For example, CVE-2023-32434 was also exploited as a zero-day vulnerability that, when exploited, allowed sophisticated threat actors to execute arbitrary code via a specially crafted video file.

The exploitation of CVE-2023-32434 prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2023-32434 to its Known Exploited Vulnerability (KEV) database and order federal agencies to secure all impacted devices within a month.

Given the widespread use of Apple devices potentially vulnerable to CVE-2025-24085 and its ease of exploitation, it’s likely that threat actors will continue to target this vulnerability as long as they can. Therefore, impacted users must update their devices as soon as possible.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Apple’s operating systems. Field Effect MDR users are automatically notified if a vulnerable version of Apple software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with Apple’s advisory.

Related Articles

• Apple's latest update patches two actively exploited zero-days
• Apple patches first zero-day vulnerability of 2024
• Apple users getting ‘flipped off’ with iOS Bluetooth spam attacks