Apple on Tuesday launched a safety replace to handle a zero-day flaw that it stated has been exploited in “extraordinarily subtle” assaults.
The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted within the WebKit internet browser engine element.
It’s been described as an out-of-bounds write factor that would permit an attacker to craft malicious internet content material such that it could actually escape of the Internet Content material sandbox.
Apple stated it resolved the problem with stepped forward exams to stop unauthorized movements. It additionally famous that it is a supplementary repair for an assault that used to be blocked in iOS 17.2.
Moreover, it said that the vulnerability “could have been exploited in an especially subtle assault in opposition to particular focused people on variations of iOS ahead of iOS 17.2.”
On the other hand, the advisory does no longer point out if Apple’s personal safety crew came upon the flaw or if it used to be reported to it by way of an exterior researcher. It additionally does no longer point out when the assaults started, how lengthy they lasted, and who used to be focused.
The replace is to be had for the next units and working machine variations –
- iOS 18.3.2 and iPadOS 18.3.2 – iPhone XS and later, iPad Professional 13-inch, iPad Professional 12.9-inch third era and later, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad seventh era and later, and iPad mini fifth era and later
- macOS Sequoia 15.3.2 – Macs operating macOS Sequoia
- Safari 18.3.1 – Macs operating macOS Ventura and macOS Sonoma
- visionOS 2.3.2 – Apple Imaginative and prescient Professional
With the most recent building, Apple has addressed a complete of 3 actively exploited zero-days in its instrument because the get started of the yr, the opposite two being CVE-2025-24085 and CVE-2025-24200.