Apple has patched a vulnerability in iPhone and iPad that was under active exploitation by cybercriminals.
The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to Settings (or System Settings) > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.
Overall, security updates were issued for:
If you use Malwarebytes for iOS, you can use the app to check if you need to update, and be guided through the update process.
Technical details
WebKit is the browser engine developed by Apple that helps display web content in applications. It allows apps to show web pages without the need for a full web browser. WebKit is used in many Apple products, such as Safari, Mail, and the App Store, as well as in other devices like PlayStation consoles and Amazon Kindle e-readers.
The actively exploited vulnerability is tracked as CVE-2025-24201.
“An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).”
Simply put, that means an attacker could send or lure a target to open a web page which would cause an overflow in the allocated memory for WebKit. The overflow would then enable the attacker to escape from the Web Content Sandbox, which is a security feature used in web browsers to isolate web content, such as web pages and scripts, from the rest of the system. It’s designed to stop malicious code from accessing sensitive system resources or user data outside of the browser.
About a month ago, we reported how Apple fixed another extremely sophisticated attack, that was used against targeted individuals. This one is much more likely to be used against more users so should you prioritise updating your phone as soon as you can.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
