On Tuesday, Apple released a security update to address a zero-day vulnerability that has been exploited in highly sophisticated attacks.
The identified vulnerability, assigned the CVE identifier CVE-2025-24201, is associated with the WebKit web browser engine component.
This vulnerability is characterized as an out-of-bounds write issue, which allows an attacker to create malicious web content that can escape the Web Content sandbox.
Apple has resolved the issue by implementing improved checks to prevent unauthorized actions, noting that it is a supplementary fix for an attack that was previously blocked in iOS 17.2.
Moreover, Apple acknowledged that this vulnerability may have been exploited in highly sophisticated attacks targeting specific individuals using versions of iOS prior to iOS 17.2.
However, the advisory does not provide information on whether the vulnerability was discovered by Apple’s security team or reported by an external researcher, nor does it specify when the attacks started, how long they lasted, or who the targets were.
The security update is available for the following devices and operating system versions:
- iOS 18.3.2 and iPadOS 18.3.2 – Compatible with iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- macOS Sequoia 15.3.2 – Available for Macs running macOS Sequoia
- Safari 18.3.1 – Compatible with Macs running macOS Ventura and macOS Sonoma
- visionOS 2.3.2 – Available for Apple Vision Pro
With this latest update, Apple has addressed a total of three actively exploited zero-day vulnerabilities in its software since the beginning of the year, in addition to CVE-2025-24085 and CVE-2025-24200.
