On Monday, Apple issued crucial safety updates that retroactively handle three actively exploited zero-day vulnerabilities affecting legacy variations of its working methods.
CVE-2025-24200
The primary vulnerability, designated CVE-2025-24200, was patched in iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, and iPadOS 15.8.4.
CVE-2025-24200 permits a bodily attacker to disable USB Restricted Mode on an Apple system. It is a safety function designed to dam unauthorised knowledge entry by the USB port when the iPhone or iPad is locked for over an hour.
Apple stated CVE-2025-24200 “could have been exploited in an especially subtle assault in opposition to particular focused people,” hinting at potential involvement from state-sponsored actors aiming to surveil high-value targets resembling authorities officers, journalists, or senior enterprise executives. Though initially patched on February 10 in iOS 18.3.1, iPadOS 18.3.1, and iPad 17.7.5, the vulnerability remained unresolved in older working methods till now.
SEE: Important Zero-Day Vulnerabilities Present in These VMware Merchandise
CVE-2025-24201
The second flaw, CVE-2025-24201, was additionally patched in iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, and iPadOS 15.8.4.
This flaw is in WebKit, the browser engine utilized by Safari to render internet pages. It permits malicious code working contained in the Internet Content material sandbox — an remoted surroundings meant to comprise browser-based threats — to flee and compromise broader system parts.
CVE-2025-24201 was first mitigated in iOS 17.2 in late 2023, adopted by a supplemental patch in iOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. The flaw has now been retrospectively addressed in iOS and iPadOS 15 and 16.
CVE-2025-24085
CVE-2025-24085, the third vulnerability, was patched in iPadOS 17.7.6, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
The use-after-free vulnerability is in Apple’s Core Media, the framework chargeable for dealing with media processing duties resembling audio and video playback in apps. It permits attackers to grab management of deallocated reminiscence and repurpose it to execute privileged malicious code..
Initially patched in January, with iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3, Apple has now backported the repair to older methods.
Different vulnerabilities have been patched in iOS 18.4
Alongside new Apple Intelligence options and emojis, iOS 18.4 — launched on Tuesday — delivers fixes for brand spanking new vulnerabilities, together with:
- CVE-2025-30456: A flaw within the DiskArbitration framework that allowed apps to escalate their privileges to root.
- CVE-2025-24097: A flaw in AirDrop that allowed unauthorised apps to entry file metadata, resembling creation dates or consumer particulars.
- CVE-2025-31182: A flaw within the libxpc framework that lets apps delete arbitrary information on the system.
- CVE-2025-30429, CVE-2025-24178, CVE-2025-24173: Flaws that allowed apps to interrupt out of sandbox in Calendar, libxpc, and Energy Providers, respectively.
- CVE-2025-30467: A flaw in Safari that would enable malicious web sites to spoof the handle bar.
Apple customers are strongly urged to replace their gadgets instantly to protect in opposition to exploitation of those now-publicised vulnerabilities. Whereas most customers will obtain automated replace prompts, handbook updates might be carried out through Settings, Basic, after which Software program Replace.
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Japanese
Korean
Latin
Portuguese
Russian
Spanish