Apple has released an urgent security update for iPhones and iPads, addressing a critical zero-day vulnerability that may have been actively exploited in highly sophisticated attacks. The flaw, tracked as CVE-2025-24201, resides in WebKit, the underlying browser engine for Safari and all other web browsers on iOS and iPadOS.
According to Apple security advisory, the flaw stems from an out-of-bounds memory write issue, which could allow maliciously crafted web content to escape the Web Content sandbox.
This vulnerability poses profile targets such as activists, journalists, and individuals of interest to state-sponsored or well-funded cybercriminal groups.
The affected devices include:
- iPhone XS and later models.
- iPad Pro 13-inch.
- iPad Pro 12.9-inch (3rd generation and later).
- iPad Pro 11-inch (1st generation and later).
- iPad Air (3rd generation and later).
- iPad (7th generation and later).
- iPad mini (5th generation and later).
Apple confirmed that this fix is a follow-up to a previous security patch introduced in iOS 17.2. The company acknowledged reports that the vulnerability was exploited in “an extremely sophisticated attack against specific targeted individuals” running older versions of iOS before 17.2.
However, Apple has not disclosed details on how long the vulnerability was exploited, who discovered it, or which threat actors may be responsible. Such omissions are common when the company is still investigating the full scope of an attack or if the disclosure could risk revealing sensitive security information, reports Ars Technica.
With the latest patch, Apple has rolled out iOS and iPadOS 18.3.2, urging all users — particularly those at heightened risk of targeted attacks — to update their devices immediately. While no evidence suggests widespread exploitation of this vulnerability, cybersecurity experts recommend installing security experts within 36 hours of release to mitigate potential targets.
In the News: Jio is bringing Starlink to India in addition to Airtel
