Apple has released emergency updates to patch another zero-day vulnerability that was exploited in an “extremely sophisticated attack.”
Tracked as CVE-2025-43300, this security flaw is caused by an out-of-bounds write weakness discovered by Apple security researchers in the Image I/O framework, which enables applications to read and write most image file formats.
An out-of-bounds write occurs when attackers successfully exploit such vulnerabilities by supplying input to a program, causing it to write data outside the allocated memory buffer, which can lead to the program crashing, corrupting data, or, in the worst-case scenario, allowing remote code execution.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company revealed in security advisories issued on Wednesday.
“An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption.”
Apple has addressed this issue with improved bounds checking to prevent exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The complete list of devices impacted by this zero-day vulnerability is extensive, as the bug impacts both older and newer models, including:
- iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation,
- and Macs running macOS Sequoia, Sonoma, and Ventura.
The company has yet to attribute the discovery to one of its researchers and has not yet published details regarding the attacks it described as “extremely sophisticated.”
While this flaw is likely only exploited in highly targeted attacks, it is strongly advised to install today’s security updates promptly to prevent any potential ongoing attacks.
With this vulnerability, Apple has fixed a total of six zero-days exploited in the wild since the start of the year, the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201).
In 2024, the company has patched six other actively exploited zero-days: one in January, two in March, a fourth in May, and two others in November.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
