Skip to main content

Security updates include remediation for exploited vulnerability CVE-2025-24201, which affects iOS, iPadOS, and macOS

Threat ID:CC-4630
Threat Severity:Medium
Published:12 March 2025 4:34 PM

Summary

Security updates include remediation for exploited vulnerability CVE-2025-24201, which affects iOS, iPadOS, and macOS 

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 18.3.1
Safari
Versions: all prior to 18.3.2
iOS
Versions: all prior to 18.2
iPadOS
Versions: all prior to 15.3.2
macOS Sequoia
Versions: all prior to 2.3.2
visionOS

Threat details

Exploitation of CVE-2025-24201

The security update addressing CVE-2025-24201 is a supplementary fix for an exploited vulnerability that was addressed in iOS 17.2. Apple is aware of a report that 'this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2'.


Introduction

Apple has released security updates to address an exploited vulnerability in multiple Apple products. CVE-2025-24201 is an 'out-of-bounds write' vulnerability that could allow an attacker with maliciously crafted web content to break out of Web Content sandbox.

The security update addressing CVE-2025-24201 is a supplementary fix for an exploited vulnerability that was addressed in iOS 17.2. Apple is aware of a report that 'this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2'.


CVE-2025-24201 also listed in Google Chrome Releases Stable Channel for Desktop Update

Google Chrome Releases Stable Channel for Desktop has included CVE-2025-24201 as being an 'Out of bounds write in GPU on Mac' vulnerability and has started releasing security updates for 134.0.6998.89 for Mac

Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild.

Remediation advice

Affected organisations are encouraged to review Apple security releases and apply the relevant updates.

Remediation steps

  
Patch

Safari 18.3.1 | 122285


https://support.apple.com/en-us/122285
Patch

iOS 18.3.2 and iPadOS 18.3.2 | 122281


https://support.apple.com/en-us/122281
Patch

macOS Sequoia 15.3.2 | 122283


https://support.apple.com/en-us/122283
Patch

visionOS 2.3.2 | 122284


https://support.apple.com/en-us/122284

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2025-24201An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Last edited: 12 March 2025 4:34 pm

Back to top