Apple has released security updates to address security flaws affecting iOS, iPados and MacOS, saying it is undergoing active exploitation in the wild.
The zero-day outbound write vulnerability tracked as CVE-2025-43300 lies in the Imageio framework that can result in memory corruption when processing malicious images.
“Apple is aware of reports that this issue may have been exploited in a highly sophisticated attack on a particular targeted individual,” the company said in its recommendation.
The iPhone maker said the bug was discovered internally and the boundary checking was improved and addressed. The following versions address security flaws –
iOS 18.6.2 and iPads 18.6.2 – iPhone XS and then iPad Pro 13″ and later, iPad Pro 12.9″ 3rd generation and later, iPad Pro 11″ 1st generation and later, iPad Air 3rd Generation and later, iPad 7th generation and later, iPad Mini 5th Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Pro Mini 5th generation and iPad Mini 5th generation and later iPad Pro 7th generation and 6th generation MacOS Ventura 13.7.8 – Macs Runing Macos Ventura Macos Sonoma 14.7.8 – Mac Runing Macos Sonoma Macos Sequoia
It is currently unknown who was behind the attack and who was targeted, but the vulnerability could be weaponized as part of a highly targeted attack.
With the latest update, Apple has fixed a total of seven zero-days so far: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201 and CVE-2025-43200, CVE-2025-24085, CVE-2025-24201: CVE-2025-2425-24201: CVE-2025-2425-24201, CVE-2025-2425-24201, and CVE-2025-43200.
Last month, the company issued a patch for a vulnerability in Safari that exists in an open source component (CVE-2025-6558) that Google reportedly exploited as zero-day in a Chrome web browser.
Source link
