Apple has released urgent security updates to address a critical zero-day vulnerability that the company warns has been actively exploited in “extremely sophisticated” attacks.
The bug, tracked as CVE-2025-24201, resides in WebKit, the cross-platform web browser engine utilized by Apple's Safari browser as well as several other apps and web browsers across macOS, iOS, Linux, and Windows.
The vulnerability could be exploited by attackers to break out of WebKit's Web Content sandbox by using maliciously crafted web content. This would allow the attackers to potentially gain unauthorized access and execute harmful actions within the system. Apple acknowledged that the flaw has already been leveraged in targeted attacks aimed at specific individuals running versions of iOS prior to iOS 17.2.
“This is a supplementary fix for an attack that was blocked in iOS 17.2,” Apple clarified, urging users to update their devices immediately to the latest versions to secure their systems against this threat.
The fix, which comes as part of iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1, addresses the out-of-bounds write issue in WebKit by implementing improved checks to prevent unauthorized actions and mitigate further exploitation.
The security patch affects a broad range of Apple devices, including both older and newer models, including iPhone XS and later models, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later, Macs running macOS Sequoia, Apple Vision Pro.
Users are urged to install the updates as soon as possible to protect against potential threats.
