Apple Addresses 0-Day Vulnerability Targeted in “Highly Sophisticated Attack”

Apple has addressed a significant zero-day vulnerability affecting a wide range of iPhones and iPads, as announced on Tuesday. The company indicated that this flaw could have been exploited in a highly advanced attack targeting specific individuals using earlier versions of iOS.

The flaw, designated as CVE-2025-24201, is linked to WebKit, the browser engine that powers Safari and numerous other browsers on Apple’s mobile devices. The impacted models include the iPhone XS and all subsequent versions, various iPad Pro models from the 3rd generation and later, iPad Air from the 3rd generation onward, the iPad 7th generation and later, and iPad mini from the 5th generation onward. The vulnerability arises from a bug that permits writes to out-of-bounds memory locations, which can pose a serious risk.

In its advisory, Apple described the potential consequences: “Maliciously crafted web content may be able to break out of the Web Content sandbox.” This advisory also mentioned that the fix served as a supplemental measure for a threat that had been prevented in iOS 17.2. The company acknowledged reports suggesting that this vulnerability may have been exploited in a sophisticated attack against particular targeted individuals using iOS versions prior to 17.2.

The advisory did not clarify whether the vulnerability was discovered internally by Apple or if it was identified by external researchers, a detail often revealing insights about the attackers and their targets. Additionally, the advisory remained silent on the timeline of the attacks and their duration, leaving some critical questions unanswered.

The latest update raises iOS and iPadOS to version 18.3.2, marking a crucial step in enhancing security across affected devices. Users perceived to be at the highest risk include those targeted by well-funded law enforcement or state-sponsored actors, underscoring the urgency of installing the update promptly. Although there is no direct indication that the vulnerability is being exploited against a broader audience, it is advisable for all users to apply updates within 36 hours of their availability to maintain security hygiene.

In terms of potential attack methodologies, this incident raises implications relevant to various tactics specified in the MITRE ATT&CK framework. The initial exploitation of this vulnerability could fall under the categories of initial access, given its exploitation through manipulated web content. Moreover, the nature of the flaw might facilitate persistence and privilege escalation within targeted devices, enabling attackers to maintain a foothold or elevate their access levels.

As cyber threats continue evolving, the need for robust security measures and immediate updates becomes increasingly critical for all users, particularly business owners who must safeguard sensitive information from potential breaches.

Source