Apple has released emergency security updates to fix a critical zero-day vulnerability actively exploited in what the company describes as an ‘extremely sophisticated attack’ targeting specific individuals.
Tracked as CVE-2025-43300, the flaw stems from an out-of-bounds write issue in Apple’s Image I/O framework. The vulnerability exists due to a boundary error when processing untrusted input within the ImageIO subsystem. A remote attacker can create a specially crafted image file, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.
Apple didn’t specify the nature of the attacks or what threat actor was behind them, only confirming that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
The company says the vulnerability has been mitigated through improved bounds checking.
The fix has been rolled out across multiple operating systems, including: iOS 18.6.2 iPadOS 18.6.2 and 17.7.10 macOS Sequoia 15.6.1 macOS Sonoma 14.7.8 macOS Ventura 13.7.8. Users are strongly advised to update their devices immediately to minimize risk.
Speaking of zero-day exploits, a new UAE-based zero-day broker Advanced Security Solutions is offering up to $20 million for hacking tools that can compromise smartphones via a text message, as per TechCrunch. The company’s top payout applies to any mobile operating system, while other bounties range from $15 million for Android and iPhone exploits to $1 million for browser vulnerabilities like Safari and Edge. Currently, where’s no information on the company’s backers and clients.