The Cybersecurity and Infrastructure Security Agency (CISA) has warned about an actively exploited zero-day vulnerability in Apple’s WebKit browser engine, tracked as CVE-2025-24201.
This vulnerability, an out-of-bounds write issue, could allow attackers to execute unauthorized code on vulnerable devices.
The vulnerability lies within WebKit, a cross-platform web browser engine used by Safari and other applications across macOS, iOS, Linux, and Windows.
CVE-2025-24201 can be exploited through maliciously crafted web content, potentially allowing attackers to break out of the Web Content sandbox.
This could lead to unauthorized actions, further exploitation, remote code execution, or even the deployment of spyware on affected devices.
Affected Products
The vulnerability impacts a wide array of Apple devices, including:
- iPhone XS and later
- iPad Pro 13-inch
- iPad Pro 12.9-inch (3rd generation and later)
- iPad Pro 11-inch (1st generation and later)
- iPad Air (3rd generation and later)
- iPad (7th generation and later)
- iPad mini (5th generation and later)
- Macs running macOS Sequoia
- Apple Vision Pro
The vulnerability also affects third-party browsers on iOS and iPadOS, which are required to use WebKit.
Exploitation in the Wild
Apple has acknowledged that CVE-2025-24201 may have been exploited in “extremely sophisticated” attacks targeting specific individuals on versions of iOS before 17.2.
While Apple has not released specific details regarding the attacks, they appear to be highly targeted rather than widespread3. This is the third zero-day vulnerability Apple has addressed in 2025.
Apple has released updates to address the vulnerability, including improved checks to prevent unauthorized actions:
- iOS 18.3.2
- iPadOS 18.3.2
- macOS Sequoia 15.3.2
- visionOS 2.3.2
- Safari 18.3.1
CISA recommends applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.
Users are advised to update their devices immediately to the latest software versions. For enterprise and high-risk users, enabling Lockdown Mode is recommended to harden device security against targeted attacks.
Recommendations for Users
To protect against potential exploitation, users should take the following precautions:
- Update Devices Immediately: Install the latest software updates from Apple.
- Avoid Untrusted Links and Websites: Be cautious when clicking on links from unknown sources.
- Monitor Device Behavior: Watch for unusual device behavior, such as slow performance or frequent crashes.
- Enable Automatic Updates: Ensure automatic updates are enabled for all Apple devices.
- Enterprise Mitigation: Deploy Mobile Device Management (MDM) solutions to ensure devices are updated promptly and monitor network activity for any signs of compromise.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
