Apple Backports Fixes for Three Actively Exploited Zero-Days Targeting Older Devices

Apple has released backported security patches for older versions of iOS, iPadOS, and macOS, addressing three zero-day vulnerabilities that have been exploited in targeted attacks. The flaws, originally patched in March, have now been addressed in iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, iPadOS 15.8.4, and macOS Sonoma 14.7.5.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2,” the company disclosed in its updated advisory.

• CVE-2025-24200 – Authorization Flaw in iOS

Discovered by Bill Marczak of Citizen Lab, CVE-2025-24200 is an authorization issue that has been exploited in highly sophisticated attacks aimed at specific, targeted individuals. The vulnerability was patched in iOS 18.3.1 and iPadOS 18.3.1, but has now been backported to protect users on legacy devices.

Apple confirms: “This issue may have been exploited in an extremely sophisticated attack.”

The flaw allows attackers to bypass security checks and escalate privileges within the system, likely as part of a larger attack chain involving spyware or surveillance implants.

• CVE-2025-24201 – WebKit Sandbox Escape

The second vulnerability, CVE-2025-24201, resides in WebKit, the core browser engine powering Safari and many third-party apps on macOS, iOS, Windows, and Linux. Apple warns that attackers can exploit the flaw using maliciously crafted web content, enabling them to break out of the Web Content sandbox and execute arbitrary code.

This sandbox escape could enable attackers to pair WebKit-based drive-by exploits with additional payloads, delivering malware or spyware onto devices through a simple browser click.

• CVE-2025-24085 – Core Media Privilege Escalation

The third zero-day, CVE-2025-24085, targets Core Media, a crucial multimedia framework used by AVFoundation and other Apple media pipelines. This flaw enables privilege escalation, which could allow malware to run with elevated permissions, bypassing normal app boundaries and accessing sensitive data or system-level resources.

While Apple has not detailed the nature of attacks using CVE-2025-24085, its connection to Core Media suggests that attackers may be targeting video or audio content handling as part of their exploit chains.

Users running any of the following systems are strongly urged to update immediately:

• iOS / iPadOS 16.7.11
• iOS / iPadOS 15.8.4
• macOS Sonoma 14.7.5

Related Posts:

• Beyond Zero-Day: Operation Triangulation Redefines iPhone Hacking
• Apple Hits Pause on iPadOS 18 for M4 iPad Pro Amid ‘Bricking’ Fears
• 0-day bug affecting iPhones, Macs, and iPads
• CVE-2025-24201: Apple Issues Emergency Patches for Actively Exploited Zero-Day Vulnerability
• Apple Shortcuts Vulnerability (CVE-2024-23204): Technical Analysis and Mitigation

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts