Skip to content

Apple patches actively exploited zero-day bug

  • by
  • 2 min read

Apple has released patches to fix an actively exploited zero-day and several other security vulnerabilities across iPhones, iPads, Macs, Apple TV, Vision Pro, and Watch Series 6 and later. The iPhone maker didn’t share any details regarding the vulnerability’s exploitation but did confirm that it had been exploited against versions of iOS before iOS 17.2.

The actively exploited bug is tracked as CVE-2025-24085. If exploited, a malicious app can raise privileges and access the targeted device’s system components. The vulnerability exists in the CoreMedia component of Apple’s underlying device software and has been addressed with “improved memory management.”

Apple released security advisories for nine software products in its portfolio. The following devices and their respective operating system versions are now protected:

  • iOS 18.3 and iPadOS 18.3
  • macOS Sequoia 15.3
  • tvOS 18.3
  • visionOS 2.3
  • watchOS 11.3

Only the iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later are getting these security updates. Advisories on macOS versions Sonoma and Ventura don’t mention the vulnerability. Only Watch Series 6 and later are getting the security update for Apple’s watches.

Apple’s controversial AR/VR headset, the Vision Pro, had 18 security vulnerabilities fixed, including CVE-2025-24085. Five bugs were found in AirPlay and three in CoreAudio, another software component Apple’s operating systems used. If exploited, these vulnerabilities can allow for attacks like unexpected system termination, denial-of-service (DoS), or even execute malicious code on the device under the right conditions.

Since the vulnerability has been tagged as actively exploited, it’s recommended that you update your Apple devices to the latest available update to prevent exploitation.

In the News: SC directs cops to not send legal notices via WhatsApp or online

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>