Apple has released urgent security updates to address a critical zero-day vulnerability in its WebKit browser engine, warning that the flaw “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The security flaw, tracked as CVE-2025-24201, affects Safari and other WebKit-based applications across iOS, macOS, iPadOS, and visionOS, as well as Linux and Windows environments where WebKit is used.
According to Apple’s advisory, the CVE-2025-24201 vulnerability is an out-of-bounds write issue that could be exploited through maliciously crafted web content, enabling attackers to escape WebKit’s Web Content sandbox. This allows them to execute unauthorized actions on the target device—potentially leading to further exploitation, remote code execution, or spyware deployment.
Apple emphasized that the attack appears to be highly targeted rather than widespread, but did not disclose the identities of the attackers or their victims.
Apple revealed that CVE-2025-24201 is a supplementary fix for an attack that was previously mitigated in iOS 17.2, but has now been fully addressed in:
- iOS 18.3.2
- iPadOS 18.3.2
- macOS Sequoia 15.3.2
- visionOS 2.3.2
- Safari 18.3.1
The company’s security teams became aware that the exploit remained effective on older iOS versions prior to iOS 17.2, prompting the latest emergency patch.
The CVE-2025-24201 zero-day affects a wide range of Apple devices, including both newer and older models:
- iPhones: iPhone XS and later
- iPads: iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later), iPad Air (3rd gen and later), iPad (7th gen and later), iPad mini (5th gen and later)
- Macs running macOS Sequoia
- Apple Vision Pro
Given WebKit’s cross-platform nature, users of third-party browsers on iOS and iPadOS—where Apple enforces WebKit usage—were also at risk.
Apple’s advisory used similar language in February 2025 when it patched another zero-day that had been leveraged in “an extremely sophisticated attack against specific targeted individuals.” However, the company stated that there is no confirmed connection between the two vulnerabilities.
The lack of disclosed details suggests a potential involvement of nation-state actors or private exploit brokers, similar to previous cases where WebKit vulnerabilities were exploited in espionage campaigns.
Apple urges all users to update their devices immediately to mitigate the risk posed by CVE-2025-24201. Since WebKit is deeply integrated into Apple’s operating systems, even users who rely on third-party browsers on iOS and iPadOS should apply the update.
For enterprise and high-risk users, Apple recommends enabling Lockdown Mode, a feature designed to harden device security against highly targeted attacks.
Related Posts:
- Beyond Zero-Day: 0peration Triangulation Redefines iPhone Hacking
- Apple Addresses Kernel Zero-Day Vulnerability in Older iPhones and iPads
- Apple Patches Three Zero-Day Security Vulnerabilities Exploited in the Wild
