Apple Urgently Patches Zero-Day Vulnerability
Apple has released out-of-band security updates to fix a zero-day vulnerability that has already been exploited in what the company described as a “highly sophisticated attack.”
The flaw, tracked as CVE-2025-43300, is an out-of-bounds write error discovered by Apple’s own security team. It was found in the Image I/O framework, which enables applications to read and write images in multiple formats.
Risk and Exploitation
Exploiting this type of vulnerability can cause application crashes, data corruption, or—in the most severe cases—remote code execution.
“An out-of-bounds write issue was addressed with improved bounds checking. Processing a maliciously crafted image file may lead to memory corruption,” Apple noted in its advisory.
Fixed Versions
The patch has been rolled out across iOS, iPadOS, and macOS:
Affected Devices
The scope of affected hardware is broad, covering both newer and older models:
- iPhone: XS and later
- iPad:
- iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later)
- iPad Air (3rd gen and later), iPad (7th gen and later), iPad mini (5th gen and later)
- Legacy models: iPad Pro 12.9-inch (2nd gen), iPad Pro 10.5-inch, iPad (6th gen)
- Mac: Any system running macOS Sequoia, Sonoma, or Ventura
Broader Context
Apple has not disclosed details about the attack that exploited CVE-2025-43300 but confirmed it may have been used against targeted individuals.
This marks the sixth zero-day vulnerability patched by Apple in 2025. Earlier fixes included:
- CVE-2025-24085 (January)
- CVE-2025-24200 (February)
- CVE-2025-24201 (March)
- CVE-2025-31200 and CVE-2025-31201 (April)
