Apple has urgently released updates to fix CVE-2025-43300, a critical zero-day vulnerability already used in targeted attacks. This security flaw affects iOS, iPadOS, and macOS devices, and it stems from an out-of-bounds write issue in the ImageIO framework.
CVE-2025-43300 gave attackers a direct entry point
When users open malicious images, the flaw can corrupt memory and potentially allow attackers to run harmful code. Apple confirmed that threat actors had already exploited this bug in highly specific, real-world attacks. Although the company didn’t reveal who launched them, the precision suggests advanced threat groups or state-backed hackers.
Erin, a senior Apple engineer, stated that the company found the issue internally and responded with improved bounds checking to prevent further abuse.
Apple rolls out CVE-2025-43300 patch across major platforms
You can now download updates that fix the vulnerability across multiple device types. Here’s what received the patch:
- iOS 18.6.2 and iPadOS 18.6.2 – For iPhone XS and newer, iPad 7th gen and up, all iPad Pro models (13″, 12.9″, 11″), iPad Air 3rd gen and later, and iPad mini 5th gen and newer.
- iPadOS 17.7.10 – For iPad Pro 12.9-inch (2nd gen), iPad Pro 10.5-inch, and iPad 6th gen.
- macOS Ventura 13.7.8
- macOS Sonoma 14.7.8
- macOS Sequoia 15.6.1
To stay protected, install the patch immediately if your device appears on this list.
CVE-2025-43300 is one of several threats this year
This marks Apple’s seventh confirmed zero-day exploit in 2025. Others include CVE-2025-24085, CVE-2025-24200, CVE-2025-31200, and CVE-2025-43200. Each one allowed attackers to bypass key system defenses before Apple rolled out updates.
Furthermore, Apple addressed a Safari-related issue (CVE-2025-6558) last month that Google flagged after discovering its use in Chrome-based attacks.
Why you should update now
If you haven’t updated yet, do it now. Threat actors had already deployed CVE-2025-43300 in stealth campaigns, and new variants may follow. Although Apple responded quickly, your device stays exposed until you install the fix.
For anyone using a supported device, this patch is critical, not optional.
{{user}} {{datetime}}
{{text}}