Apple Patches Critical WebKit Zero-Day Exploited in Targeted Attacks

Apple has rolled out a security update to fix a zero-day vulnerability (CVE-2025-24201) that was exploited in highly sophisticated cyberattacks.

WebKit Vulnerability and Exploit Details

The flaw, found in Apple's WebKit browser engine, is classified as an out-of-bounds write issue. This could allow attackers to create malicious web content capable of bypassing the Web Content sandbox, potentially compromising user devices.

Apple has resolved the issue by enhancing security checks, ensuring unauthorized actions are blocked. The company also revealed that this update serves as an additional fix for an attack mitigated in iOS 17.2.

Targeted Exploitation and Limited Disclosure

According to Apple's security advisory, the flaw may have been actively used in highly sophisticated attacks against specific individuals running iOS versions prior to iOS 17.2. However, Apple has not disclosed details regarding the origin of the attacks, their duration, or the identity of the affected users. Additionally, it remains unclear whether the vulnerability was found internally or reported by an external researcher.

Devices and Systems Receiving the Update

The patch is now available for the following devices and software versions:

• iOS 18.3.2 / iPadOS 18.3.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen and later), iPad Pro 11-inch (1st gen and later), iPad Air (3rd gen and later), iPad (7th gen and later), and iPad mini (5th gen and later).
• macOS Sequoia 15.3.2 – Macs running macOS Sequoia.
• Safari 18.3.1 – Macs running macOS Ventura and macOS Sonoma.
• visionOS 2.3.2 – Apple Vision Pro.

Apple’s Third Zero-Day Fix of 2025

This marks the third actively exploited zero-day vulnerability patched by Apple this year, following CVE-2025-24085 and CVE-2025-24200.

Users are strongly encouraged to update their devices immediately to protect against potential exploitation.