Apple released emergency software patches Tuesday that address a newly identified zero-day vulnerability in the company’s WebKit web browser engine.
Tracked as CVE-2025-24201, an attacker can potentially escape the constraints of Webkit’s Web Content sandbox, potentially leading to unauthorized actions. The sandbox is a security feature that isolates untrusted web content in order to prevent malicious code from accessing critical parts of the system.
Apple categorized the attack as “extremely sophisticated,” saying it was used in attacks on “specific targeted individuals” prior to the iOS 17.2 update integral to Apple’s Safari browser and other applications across macOS and iOS.
The vulnerability marks the third zero-day Apple has tackled this year, with previous issues being identified and patched in January and February. The patches resolve the issue across various Apple operating systems, including iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.
Notably, Apple did not disclose if its own researchers or others outside of the company discovered the vulnerability, maintaining its policy of withholding specific exploitation details to prevent aiding malicious actors. The company did the same with the January zero-day, which was linked to its Core Media framework. This earlier flaw reportedly showcased use-after-free vulnerabilities, leading to unauthorized system access and prompting further vigilance.
Apple did name the researcher behind February’s zero-day announcement, which was discovered by Bill Marczak of The Citizen Lab. That vulnerability, which disabled USB Restricted Mode on a locked Apple device, drew attention to nation-state surveillance capabilities.
More information about the patches are available on Apple’s website.
