Table of Contents
The use-after-free flaw allows privilege escalation in affected media applications running on Apple’s Core Media framework.
Apple iPhone users were targeted for privilege escalation in the zero-day exploitation of a use-after-free vulnerability affecting Apple’s Core Media framework.
“A malicious application may be able to elevate privileges,” Apple said in the security update description. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”
Apple refrained from adding more details on the real-world exploitation and has yet to attribute the flaw’s discovery to a cybersecurity researcher or firm.
The vulnerability has been assigned a tracker, CVE-2025-24085, and is pending further evaluation to confirm the severity. Use-after-free vulnerabilities are typically serious security flaws arising from improper memory handling.
Patches available through security updates
The consumer electronics giant has released software updates to address the issue, along with several others, and users are advised to apply these updates to avoid exploitation.
On the security updates page, Apple explained that the flaw was “addressed with improved memory management.”
Updates with patches have been rolled out for iPhones (iOs 18.3), iPads (iPadOS 18.3), Macs (macOS Sequoia 15.3), Apple TV(tvOS 18.3), Vision Pro (visionOS 2.3), and Apple Watches (watchOS 11.3).
Given Core Media’s role in handling low-level media operations and interacting with sensitive system resources, critical flaws affecting it are known for potentially allowing code execution, data theft, and device takeover.
Targeting Apple devices continues
Owing to Apple’s formidable market share and reputation for exclusivity, it has become a popular adversary target. Quite often, Apple systems bugs are picked up by nation-state actors for lateral entry and sensitive compromises.
The Core Media vulnerability marks Apple’s first zero-day exploit of 2025, following a string of critical exploits in 2024 including CVE-2024-23225 and CVE-2024-23296 which together allowed attackers to bypass kernel memory protection.
Apple had fixed six zero-day bugs in 2024, down from a total of twenty in 2023 which included notorious RCE bugs, CVE-2023-32434 and CVE-2023-32435, allegedly used in a spy campaign Operation Triangulation against Russia.
Other than the Code Media flaw, the security update addressed a clutch of other flaws with system termination, denial-of-service, and code execution issues, with five of them attributed to Oligo Security researcher Uri Katz, and three to Google’s Threat Analysis Group (TAG).
