Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in “extremely sophisticated” attacks.
The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component.
It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox.
Apple said it resolved the issue with improved checks to prevent unauthorized actions. It also noted that it’s a supplementary fix for an attack that was blocked in iOS 17.2.
Furthermore, it acknowledged that the vulnerability “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
However, the advisory does not mention if Apple’s own security team discovered the flaw or if it was reported to it by an external researcher. It also does not mention when the attacks began, how long they lasted, and who was targeted.
The update is available for the following devices and operating system versions –
- iOS 18.3.2 and iPadOS 18.3.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- macOS Sequoia 15.3.2 – Macs running macOS Sequoia
- Safari 18.3.1 – Macs running macOS Ventura and macOS Sonoma
- visionOS 2.3.2 – Apple Vision Pro
With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year, the other two being CVE-2025-24085 and CVE-2025-24200.