Security Intelligence
Loading table of contents...
Loading table of contents...
Apple has released significant security updates for iOS 18.5 and macOS platforms, addressing critical vulnerabilities that could be exploited by simply opening a malicious image, video, or website. These updates, rolled out on May 12, 2025, aim to enhance device security by patching several flaws across various system components.
Among the most severe issues fixed are vulnerabilities in AppleJPEG and CoreMedia, which could allow attackers to craft malicious media files capable of executing arbitrary code with the privileges of the targeted application.
Additionally, flaws in CoreAudio, CoreGraphics, and ImageIO were addressed, each potentially leading to application crashes or data leaks upon opening specially crafted content. The update also rectifies at least nine WebKit vulnerabilities, some of which could enable hostile websites to execute code or crash the Safari browser engine.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Other notable fixes include a serious 'mute-button' flaw in FaceTime that exposed audio conversations even after muting the microphone, and kernel hardening against two memory-corruption issues. Apple also addressed a libexpat flaw (CVE-2024-8176) affecting a broad range of software projects, as well as issues in Baseband (CVE-2025-31214) that allowed attackers in a privileged network position to intercept traffic on the new iPhone 16e line.
Furthermore, a privilege escalation bug in mDNSResponder (CVE-2025-31222) and an issue in Notes that exposed data from a locked iPhone screen were patched.
While Apple has not indicated that any of these vulnerabilities have been exploited in the wild, the company strongly recommends users update their devicers to the latest versions to mitigate potential security risks. The iOS 18.5 update is available for iPhone XS and later models, and the companion iPadOS release covers compatible iPad devices.
Source: Security Week
Analysis
These new Apple vulnerabilities are significant not only for their technical severity but also for the variety of potential exploitation vectors they open. The most concerning flaws involve components like AppleJPEG, CoreMedia, and WebKit, which are integral to how the system processes images, video, and web content.
The criticality lies in the fact that exploitation could be completely passive—a user may only need to open a malicious image, video, or visit a compromised website to trigger arbitrary code execution. This kind of exploit pathway is attractive to threat actors because it doesn’t require tricking users into downloading or running a suspicious app, making the attack surface broader and stealthier.
These types of vulnerabilities are especially valuable in surveillance and espionage campaigns, where stealth and zero-click capabilities are crucial. For instance, similar bugs in image or media processing have been exploited in the past by nation-state groups.
A notable example is NSO Group’s Pegasus spyware, which leveraged iMessage and WebKit vulnerabilities to deploy spyware without user interaction. Exploits targeting media libraries and WebKit are commonly used in zero-click attacks against journalists, dissidents, diplomats, and political figures because they can bypass even savvy user defenses.
While Apple states that none of these vulnerabilities are known to be exploited in the wild, the nature of the bugs and their historical analogs suggest that advanced persistent threat (APT) groups and commercial surveillance vendors are likely watching these patches closely. Often, these actors use newly published vulnerabilities to reverse-engineer exploits before users fully update, particularly in cases where patches are slow to deploy across enterprise fleets.
Additionally, these vulnerabilities may eventually trickle down to criminal actors, especially once proof-of-concept exploits become public.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Apple operating systems. Field Effect MDR users are automatically notified if a vulnerable version of Apple software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with Apple’s advisory.
