In a coordinated effort to mitigate an actively exploited security vulnerability, Google, Apple, and Microsoft have released emergency patches for a critical zero-day flaw tracked as CVE-2025-24201. This vulnerability, an out-of-bounds write in the GPU on Mac, was reported by Apple Security Engineering and Architecture (SEAR) on March 5, 2025 and has since been exploited in the wild.
Google initially disclosed the vulnerability in a security advisory on March 10, 2025, confirming that exploits for CVE-2025-24201 were already circulating. The flaw affects the Chromium engine, which powers browsers like Google Chrome and Microsoft Edge.
To address the issue, Google has released a patch in Chrome version 134.0.6998.88/.89 for Windows and Mac, and version 134.0.6998.88 for Linux. The update is set to roll out over the coming days and weeks.
Following Google’s lead, Microsoft released an update for Edge on March 11, 2025. The latest Edge Stable Channel (Version 134.0.3124.62) integrates Chromium’s security updates, including the fix for CVE-2025-24201.
Apple responded swiftly to the vulnerability’s exploitation, issuing emergency security updates on March 11, 2025. Unlike Google and Microsoft’s Chromium-specific patch, Apple’s fix extends beyond Safari, covering the WebKit browser engine—a core component in macOS, iOS, and other Apple ecosystems.
According to Apple, attackers have leveraged the CVE-2025-24201 vulnerability to break out of the Web Content sandbox using maliciously crafted web content. The company noted that this was a supplementary fix for an attack originally mitigated in iOS 17.2, suggesting an ongoing effort by threat actors to bypass previous defenses.
Apple has now patched the flaw in the following software updates:
- iOS 18.3.2
- iPadOS 18.3.2
- macOS Sequoia 15.3.2
- visionOS 2.3.2
- Safari 18.3.1
Apple has yet to provide details on the specific threat actors exploiting this vulnerability, but its security advisory emphasizes that the attacks are “extremely sophisticated” and targeting specific individuals.
Given the severity of the flaw and its active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-24201 to its Known Exploited Vulnerabilities Catalog. CISA has issued a directive advising organizations to apply the necessary security updates before April 3, 2025 to prevent further exploitation.
Cybersecurity experts strongly recommend that all users and organizations:
- Update Google Chrome and Microsoft Edge to the latest versions immediately.
- Apply Apple’s security patches on all affected macOS, iOS, and iPadOS devices.
- Monitor for any unusual activity in their web-browsing environments.
- Follow CISA’s guidance and update vulnerable systems before the April 3 deadline.
Related Posts:
- CVE-2025-24201: Apple Issues Emergency Patches for Actively Exploited Zero-Day Vulnerability
- Microsoft Patch Tuesday (March 2025) Addresses 67 Vulnerabilities, Including Seven Zero-Day Flaws
- Qualcomm’s March 2025 Security Bulletin Addresses Critical Flaws Across Multiple Products
