Apple has launched emergency updates to patch one other zero-day vulnerability that was exploited in an “extraordinarily subtle assault.”
Tracked as CVE-2025-43300, this safety flaw is attributable to an out-of-bounds write weak spot found by Apple safety researchers within the Picture I/O framework, which permits functions to learn and write most picture file codecs.
An out-of-bounds write happens when attackers efficiently exploit such vulnerabilities by supplying enter to a program, inflicting it to jot down information exterior the allotted reminiscence buffer, which may result in this system crashing, corrupting information, or, within the worst-case state of affairs, permitting distant code execution.
“Apple is conscious of a report that this situation might have been exploited in an especially subtle assault towards particular focused people,” the corporate revealed in safety advisories issued on Wednesday.
“An out-of-bounds write situation was addressed with improved bounds checking. Processing a malicious picture file might end in reminiscence corruption.”
Apple has addressed this situation with improved bounds checking to forestall exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The entire record of units impacted by this zero-day vulnerability is in depth, because the bug impacts each older and newer fashions, together with:
- iPhone XS and later,
- iPad Professional 13-inch, iPad Professional 12.9-inch third era and later, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad seventh era and later, and iPad mini fifth era and later, iPad Professional 12.9-inch 2nd era, iPad Professional 10.5-inch, and iPad sixth era,
- and Macs working macOS Sequoia, Sonoma, and Ventura.
The corporate has but to attribute the invention to one among its researchers and has not but revealed particulars relating to the assaults it described as “extraordinarily subtle.”
Whereas this flaw is probably going solely exploited in extremely focused assaults, it’s strongly suggested to put in as we speak’s safety updates promptly to forestall any potential ongoing assaults.
With this vulnerability, Apple has mounted a complete of six zero-days exploited within the wild because the begin of the yr, the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two extra in April (CVE-2025-31200 and CVE-2025-31201).
In 2024, the corporate has patched six different actively exploited zero-days: one in January, two in March, a fourth in Could, and two others in November.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
