Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks

Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in “extremely sophisticated” attacks.

The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple’s Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.

“This is a supplementary fix for an attack that was blocked in iOS 17.2,” the iPhone maker said in security advisories issued on Tuesday. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”

Apple said attackers can exploit the CVE-2025-24201 vulnerability using maliciously crafted web content to break out of the Web Content sandbox.

The company has fixed this out-of-bounds write issue with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.

The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:

  • iPhone XS and later,
  • iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Sequoia
  • Apple Vision Pro

Apple has yet to attribute the discovery of this security vulnerability to one of its researchers and has yet to publish details regarding the “extremely sophisticated” attacks it linked it to.

Even though the zero-day bug was likely only exploited in targeted attacks, installing today’s security updates as soon as possible is highly recommended to block potentially ongoing attack attempts.

With this vulnerability, Apple has fixed three zero-days since the start of the year, the first in January (CVE-2025-24085) and the second in February (CVE-2025-24200).

Last year, the company patched six more zero-days exploited in the wild: the first in January, two in March, a fourth in May, and two more in November.

However, one year before, Apple patched 20 zero-day vulnerabilities exploited in attacks, including:

Red Report 2025

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.



Source link