Apple Issues Urgent Patch for Zero-Day Vulnerability CVE-2025-43300 Exploited in the Wild

Apple has released urgent security updates to patch a zero-day vulnerability actively exploited in the wild, warning that attackers may have already used it in highly targeted campaigns.

The flaw, tracked as CVE-2025-43300, stems from an out-of-bounds write weakness in Apple’s Image I/O framework, a core component that enables applications to handle common image file formats. According to Apple’s advisory:

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The vulnerability allows attackers to craft malicious image files that, when processed by a vulnerable application, could trigger memory corruption. In practice, this could be exploited to execute arbitrary code, potentially enabling surveillance or device compromise.

Apple explained the fix as follows:

“An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption.”

The company has released patches across its ecosystem, urging all users to apply them immediately:

• iOS 18.6.2 and iPadOS 18.6.2
• iPadOS 17.7.10
• macOS Sequoia 15.6.1
• macOS Sonoma 14.7.8
• macOS Ventura 13.7.8

This wide coverage underscores how deeply integrated the Image I/O framework is across Apple products.

As is common with zero-day disclosures, Apple has not shared technical details about the exploitation, the identity of the attackers, or the profile of the victims. The zero-day is being leveraged in precision-targeted campaigns, potentially linked to spyware operations or nation-state threat actors.

With CVE-2025-43300 marked as actively exploited, users are strongly advised to:

• Update immediately to the latest iOS, iPadOS, and macOS versions.
• Be cautious when receiving unexpected images or opening files from untrusted sources.
• Enable automatic updates on Apple devices to reduce exposure time.

Related Posts:

• Urgent Security Alert: CISA Warns of Actively Exploited Apple and Microsoft Vulnerabilities
• Google Unveils Flow, Veo 3, Imagen 4: New Era of AI Media Creation
• Google Quietly Updates Logo with Gradient Colors Before Google I/O

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy