Apple has released security updates addressing a zero-day vulnerability that has been actively exploited by attackers targeting iPhone users.
The vulnerability (CVE-2025-24085) is a use-after-free bug in the CoreMedia framework responsible for processing media data on Apple devices, which allows for potential memory corruption and could result in arbitrary code execution.
The flaw impacts versions of iOS prior to iOS 17.2. While Apple acknowledged that the vulnerability may have been leveraged in attacks against devices running earlier versions of iOS, the company withheld additional details regarding real-world exploitation.
The update is now available across several platforms and devices, including:
-
iOS 18.3 and iPadOS 18.3: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later)
-
macOS Sequoia 15.3: All Macs running macOS Sequoia
-
tvOS 18.3: Apple TV HD and Apple TV 4K (all models)
-
visionOS 2.3: Apple Vision Pro
-
watchOS 11.3: Apple Watch Series 6 and later
In addition to the zero-day vulnerability, Apple has addressed several other bugs allowing remote code execution and denial-of-service (DoS) attacks.
Users of the affected devices are strongly urged to update to the latest software version to mitigate the risks associated with this zero-day vulnerability.
