Apple has launched emergency updates to patch one other zero-day vulnerability that was exploited in an “extraordinarily subtle assault.”
Tracked as CVE-2025-43300, this safety flaw is brought on by an out-of-bounds write weak point found by Apple safety researchers within the Picture I/O framework, which allows purposes to learn and write most picture file codecs.
An out-of-bounds write happens when attackers efficiently exploit such vulnerabilities by supplying enter to a program, inflicting it to put in writing information outdoors the allotted reminiscence buffer, which might result in this system crashing, corrupting information, or, within the worst-case situation, permitting distant code execution.
“Apple is conscious of a report that this concern could have been exploited in a particularly subtle assault in opposition to particular focused people,” the corporate revealed in safety advisories issued on Wednesday.
“An out-of-bounds write concern was addressed with improved bounds checking. Processing a malicious picture file could end in reminiscence corruption.”
Apple has addressed this concern with improved bounds checking to forestall exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The whole listing of gadgets impacted by this zero-day vulnerability is intensive, because the bug impacts each older and newer fashions, together with:
- iPhone XS and later,
- iPad Professional 13-inch, iPad Professional 12.9-inch third technology and later, iPad Professional 11-inch 1st technology and later, iPad Air third technology and later, iPad seventh technology and later, and iPad mini fifth technology and later, iPad Professional 12.9-inch 2nd technology, iPad Professional 10.5-inch, and iPad sixth technology,
- and Macs working macOS Sequoia, Sonoma, and Ventura.
The corporate has but to attribute the invention to one in every of its researchers and has not but printed particulars concerning the assaults it described as “extraordinarily subtle.”
Whereas this flaw is probably going solely exploited in extremely focused assaults, it’s strongly suggested to put in right this moment’s safety updates promptly to forestall any potential ongoing assaults.
With this vulnerability, Apple has fastened a complete of six zero-days exploited within the wild for the reason that begin of the 12 months, the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two extra in April (CVE-2025-31200 and CVE-2025-31201).
In 2024, the corporate has patched six different actively exploited zero-days: one in January, two in March, a fourth in Might, and two others in November.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
