It’s always good to see companies stay on top of zero-days—you can’t help them, but you want to minimize the amount of users that can be affected by this. Now, Apple has just fixed a zero-day vulnerability on WebKit, and it’s actually a pretty interesting one.
Apple has just fixed a security flaw that was being exploited in the wild. The flaw, tracked as CVE-2025-24201, stems from the WebKit browser engine, the core browser engine that’s used in Safari. As per Apple, “this is a supplementary fix for an attack that was blocked in iOS 17.2,” and it added that the company was “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
The vulnerability itself is an out-of-bounds write issue that allows attackers to craft malicious web content that can break out of the Web Content sandbox. By escaping the bounds of the web browser, attackers could potentially execute arbitrary code and gain control over affected devices. The issue itself was just an open door for targeted attacks rather than widespread exploitation, and it doesn’t look like it was being exploited widely. Still, if you’re targeted by an attacker with this vulnerability, the consequences could be disastrous.
The issue was affecting the following devices:
- iPhone XS and later models
- iPad Pro 13-inch
- iPad Pro 12.9-inch 3rd generation and later
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 7th generation and later
- iPad mini 5th generation and later
- Mac computers running macOS Sequoia
- Apple Vision Pro
Apple stated it had resolved the issue with improved checks in the latest software updates, including iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. If you have an affected device, it would be the right move to go ahead and download the update as soon as you get a chance. You’re probably not being targeted by anyone that would be willing to exploit this, but it’s good practice to stay on top of your security updates nonetheless.
This is actually the third zero-day vulnerability that Apple has patched since the beginning of 2025. Earlier this year, Apple addressed CVE-2025-24085 in January and CVE-2025-24200 in February. It’s good to see the company stay on top of these kinds of zero-day vulnerabilities—while this specific issue can only be exploited with “sophisticated” targeted attacks, there have been cases of vulnerabilities that are much easier to exploit and are, therefore, a danger to average folks.
Related
iOS 18.4 Finally Brings RCS Messaging to Google Fi and Other T-Mobile Carriers
It only took five months!
Zero-days, by definition, are vulnerabilities that are unknown to the software vendor, meaning there is no patch available when the flaw is first discovered or exploited. Like we said earlier, companies probably can’t help them even though they try to stay on top of security issues and devote vast resources to finding flaws on their own. So the right move here is to come up with a fix to be rolled out as quickly as possible as to minimize the amount of users that are actually affected.
The patched software should be rolling out now, so make sure to hit update as soon as you can.
Source: Bleeping Computer, TechCrunch
