Apple on Tuesday rolled out an emergency security update to patch a critical WebKit vulnerability that has been actively exploited in “extremely sophisticated” cyberattacks.
The zero-day vulnerability, CVE-2025-24201, is an out-of-bounds write issue that affects WebKit, the engine that powers Apple’s web browser Safari and many other apps and web browsers on macOS, iOS, Linux, and Windows.
This flaw allows attackers to maliciously use crafted web content to break out of the Web Content sandbox.
“This is a supplementary fix for an attack that was blocked in iOS 17.2. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2,” the Cupertino giant wrote in security advisories issued on Tuesday.
Apple has not yet credited any specific researcher with discovering this security vulnerability. It has also not provided any technical details on the zero-day vulnerability or the nature of the attacks.
Below is the complete list of models affected by the zero-day vulnerability, which are:
- iPhone XS and later
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- Apple Vision Pro
- Macs running macOS Sequoia and macOS Sonoma
Apple has addressed the out-of-bounds write flaw with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, visionOS 2.3.2, macOS Sequoia 15.3.2, and Safari 18.3.1.
All Apple users are strongly recommended to update their iPhones, iPads, Macs, and Vision Pro devices to the latest version of the operating system to protect themselves from any potential attacks.
