A threat actor leveraged the vulnerability in an "extremely sophisticated" attack on targeted iOS users, the company says.
March 12, 2025 By Jai Vijayan
For the third time in as many months, Apple has released an emergency patch to fix an already exploited zero-day vulnerability impacting a wide range of its products.
The new vulnerability, identified as CVE-2025-24201, exists in Apple's WebKit open source browser engine for rendering Web pages in Safari and other apps across macOS, iOS, and iPadOS. WebKit is a frequent target for attackers because of how deeply integrated it is with Apple's ecosystem.
A Supplementary Fix
Apple described the zero-day vulnerability as an out-of-bounds-write issue that the company has addressed in iOS 18.3.2, iPadOS 18.3.2, Safari 18.3.1, macOS Sequoia 15.3.2, and visionOS 2.3.2. "Maliciously crafted web content may be able to break out of Web Content sandbox," which is used to protect user data and system resources from compromised apps, Apple said. "This is a supplementary fix for an attack that was blocked in iOS 17.2."
Affected products include iPhone XS and later, iPad Pro 13, 12.9-inch iPad Pro 3rd generation and later, 11-inch iPad Pro 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Also impacted are systems running macOS Sequoia and Apple Vision Pro.