Apple has rolled out a crucial security update to mitigate a zero-day vulnerability that has been actively exploited in highly sophisticated cyberattacks.
Identified as CVE-2025-24201, the security flaw resides within the WebKit web browser engine component. The issue is classified as an out-of-bounds write vulnerability, which, if exploited, could enable malicious actors to craft harmful web content capable of escaping the Web Content sandbox.
To address this threat, Apple has implemented improved security checks to prevent unauthorized actions. This fix is considered an extension of an earlier security patch aimed at mitigating a similar attack that was blocked in iOS 17.2.
Additionally, Apple acknowledged that this vulnerability may have been exploited in advanced cyberattacks against specific individuals using iOS versions predating iOS 17.2. However, Apple has not disclosed details regarding the origin of the discovery, whether it was found by its internal security team or reported by an external researcher. Furthermore, specifics about the duration of the attacks, the entities targeted, or when they first emerged remain undisclosed.
Devices and Operating Systems Receiving the Update:
iOS 18.3.2 and iPadOS 18.3.2 – Compatible with iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad iPad Air from the 3rd generation onwards, iPad from the 7th generation onwards, and iPad mini starting from the 5th generation.
macOS Sequoia 15.3.2 – Available for Mac devices running macOS Sequoia.
Safari 18.3.1 – Applicable for Macs operating on macOS Ventura and macOS Sonoma.
visionOS 2.3.2 – Rolled out for Apple Vision Pro.
With this latest release, Apple has now patched a total of three actively exploited zero-day vulnerabilities in its software since the beginning of the year. The other two identified vulnerabilities include CVE-2025-24085 and CVE-2025-24200.
