Apple Issues Third Emergency Patch in Three Months to Address Actively Exploited WebKit Zero-Day

For the third time in as many months, Apple has released an urgent security update to patch a zero-day vulnerability that has already been exploited in the wild.

  Privacy & Data Protection   Mar 13, 2025  Add to Reading List
Apple Issues Third Emergency Patch in Three Months to Address Actively Exploited WebKit Zero-Day

For the third time in as many months, Apple has released an urgent security update to patch a zero-day vulnerability that has already been exploited in the wild.

Details of the WebKit Vulnerability (CVE-2025-24201)

The newly identified flaw, CVE-2025-24201, resides in WebKit, Apple's open-source browser engine used in Safari, iOS, iPadOS, and macOS. This component is a frequent target for cyberattacks due to its deep integration across Apple’s ecosystem.

Apple described the flaw as an out-of-bounds write issue, which, if exploited, could allow maliciously crafted web content to escape the Web Content sandbox, a critical security mechanism designed to protect user data and system resources from compromised apps.

The company has addressed the issue with updates in:

  • iOS 18.3.2
  • iPadOS 18.3.2
  • Safari 18.3.1
  • macOS Sequoia 15.3.2
  • visionOS 2.3.2

This patch serves as a supplementary fix for an attack that was partially mitigated in iOS 17.2.

Impacted Devices

The vulnerability affects a wide range of Apple products, including:

  • iPhone XS and later
  • iPad Pro 13-inch and 12.9-inch (3rd gen and later)
  • 11-inch iPad Pro (1st gen and later)
  • iPad Air (3rd gen and later)
  • iPad (7th gen and later)
  • iPad mini (5th gen and later)
  • macOS Sequoia devices
  • Apple Vision Pro

Highly Targeted Exploits with Limited Details

Apple has acknowledged that CVE-2025-24201 has been exploited in a sophisticated attack against specific individuals, particularly on older iOS versions before 17.2. However, as with previous disclosures, the company has not provided specific details about the nature of the attacks or the identities of those targeted.

This follows a pattern of cryptic disclosures—Apple used nearly identical wording in February 2025 when it patched CVE-2025-24200, another WebKit flaw exploited in the wild. That case was linked to a researcher from The Citizen Lab, a group specializing in government surveillance and spyware threats, suggesting that nation-state actors may have been involved.

In January 2025, Apple also patched CVE-2025-24085, another zero-day vulnerability affecting macOS and iOS. The US Cybersecurity and Infrastructure Security Agency (CISA) added that flaw to its known exploited vulnerability catalog. However, CISA has not yet listed the newly patched CVE-2025-24201, indicating that current exploit activity remains limited and highly targeted.

WebKit: A Repeated Target for Exploitation

Since 2023, Apple has patched 17 actively exploited WebKit vulnerabilities, some of which have been linked to nation-state actors using commercial spyware like Pegasus and Predator to target iPhone users.

Potential Risks & Exploitation Challenges

Security expert Adam Boynton from Jamf explains that CVE-2025-24201 could allow attackers to execute arbitrary code on affected devices, leading to:

  • Installation of malware
  • Data theft
  • Privilege escalation
  • User activity monitoring
  • Bypassing security mechanisms for persistence

Despite its dangers, exploiting CVE-2025-24201 is technically complex and requires expert knowledge of memory corruption, browser internals, and security bypass techniques like Pointer Authentication Codes (PAC) and Control Flow Integrity (CFI). This complexity makes it unlikely that amateur hackers could leverage the flaw independently.

However, nation-state actors and advanced cybercriminals could use CVE-2025-24201 as part of a larger exploit chain, combining it with kernel privilege escalation to achieve full device compromise. If a working exploit is developed, attackers could distribute it through malicious websites, watering-hole attacks, phishing emails, or infected ads.

Mitigation Steps for Users

Users who cannot immediately update their devices should:

  • Monitor for unusual activity
  • Block access to known malicious websites
  • Enable content filtering to restrict access to untrusted domains
  • Activate Lockdown Mode for enhanced protection
  • Avoid clicking on unverified links in emails, messages, or social media

Conclusion: A Growing Pattern of Targeted WebKit Exploits

Apple’s latest security patch reinforces a growing trend—highly targeted, sophisticated attacks leveraging WebKit zero-days. While details remain scarce, the repeated exploitation of Apple’s browser engine underscores the persistent risk for users, especially those in high-risk industries or under government surveillance threats. Applying patches promptly remains the best defense against these evolving threats.