Apple rushed an emergency software update to its customers Wednesday to address an actively exploited zero-day vulnerability affecting the software powering the company’s most popular devices. The out-of-bounds write defect — CVE-2025-43300 — allows attackers to process a malicious image file resulting in memory corruption.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of security updates for iOS, iPadOS and macOS.
The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Thursday.
Apple did not say how many active exploits it’s aware of or how many people are impacted. The company did not respond to a request for comment.
Apple typically shares limited details about in-the-wild exploitation of zero-days, yet it has used stronger language in at least five vulnerability disclosures this year to indicate when sophisticated attackers are involved or specific people are targeted by these attacks, according to Satnam Narang, senior staff research engineer at Tenable.
“This language suggests that Apple is being purposeful in its external communication,” Narang said in an email. “While the impact to the wider populace is smaller because the attackers exploiting CVE-2025-43300 had a narrow, targeted focus, Apple wants the public to pay attention to the threat and take immediate action.”
Apple said it improved bounds checking to address the vulnerability and advised customers on impacted versions of the affected software to apply the update immediately. The defect affects macOS versions before 13.7 and 15.6, iPadOS versions before 17.7 and iOS and iPadOS versions before 18.6.
“While the possibility of the average user being a target is low,” Narang said, “it’s never zero.”
The vulnerability marks the fifth zero-day Apple has addressed this year, including defects previously disclosed and patched in January, February, March and April. Apple defects have made seven appearances on CISA’s known exploited vulnerabilities this year.
More information about the vulnerability is available on Apple’s website.
Source link
