Apple has released out-of-band patches to fix a zero-day vulnerability. The new issue has reportedly already been exploited as part of an “extremely sophisticated attack.”
The vulnerability has been assigned the identifier CVE-2025-43300 and is an out-of-bounds write issue that was discovered by Apple’s own experts.
The bug was found in the Image I/O framework, which allows applications to read and write images in most formats.
Typically, exploiting such vulnerabilities can lead to software crashes, data corruption, or, in the worst case, remote code execution.
“An out-of-bounds write issue was addressed through improved bounds checks. Processing a malicious image file could lead to memory corruption,” the developers write.
The vulnerability was addressed as part of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The list of devices affected by this vulnerability is extensive, as the issue affects both older and newer models:
- iPhone XS and later;
- iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later), iPad Pro 12.9-inch (2nd generation), iPad Pro 10.5-inch, and iPad (6th generation);
- Mac running macOS Sequoia, Sonoma, and Ventura.
In addition, Apple representatives warn that CVE-2025-43300 may have been used in an “extremely sophisticated attack” targeting specific individuals. However, the company is not disclosing any details about this attack.
CVE-2025-43300 is already the sixth zero-day vulnerability that Apple has addressed in 2025. In January of this year, CVE-2025-24085 was fixed, in February — CVE-2025-24200, in March — CVE-2025-24201, and two issues in April — CVE-2025-31200 and CVE-2025-31201.