Sep 16, 2025Ravie LakshmananVulnerability / Adware
Apple on Monday backported fixes for a lately patched safety flaw that has been actively exploited within the wild.
The vulnerability in query is CVE-2025-43300 (CVSS rating: 8.8), an out-of-bounds write subject within the ImageIO element that might lead to reminiscence corruption when processing a malicious picture file.
“Apple is conscious of a report that this subject could have been exploited in a particularly subtle assault in opposition to particular focused people,” the corporate mentioned.
Since then, WhatsApp has acknowledged {that a} vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS rating: 5.4) had been chained with CVE-2025-43300 as a part of highly-targeted spyware and adware assaults aimed toward lower than 200 people.
Whereas the shortcoming was first addressed by the iPhone maker late final month with the discharge of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has additionally been launched for the next older variations –
iOS 16.7.12 and iPadOS 16.7.12 – iPhone 8, iPhone 8 Plus, iPhone X, iPad fifth era, iPad Professional 9.7-inch, and iPad Professional 12.9-inch 1st era
iOS 15.8.5 and iPadOS 15.8.5 – iPhone 6s (all fashions), iPhone 7 (all fashions), iPhone SE (1st era), iPad Air 2, iPad mini (4th era), and iPod contact (seventh era)
The updates have been rolled out alongside iOS 26, iPadOS 26, iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26, which additionally tackle a variety of different safety flaws –
CVE-2025-31255 – An authorization vulnerability in IOKit that might permit an app to entry delicate information
CVE-2025-43362 – A vulnerability in LaunchServices that might permit an app to watch keystrokes with out person permission
CVE-2025-43329 – A permissions vulnerability in Sandbox that might permit an app to interrupt out of its sandbox
CVE-2025-31254 – A vulnerability in Safari that might lead to sudden URL redirection when processing maliciously crafted internet content material
CVE-2025-43272 – A vulnerability in WebKit that might lead to sudden Safari crash when processing maliciously crafted internet content material
CVE-2025-43285 – A permissions vulnerability in AppSandbox that might permit an app to entry protected person information
CVE-2025-43349 – An out-of-bounds write subject in CoreAudio that might lead to sudden app termination when processing a maliciously crafted video file
CVE-2025-43316 – A permissions vulnerability in DiskArbitration that might permit an app to achieve root privileges
CVE-2025-43297 – A kind confusion vulnerability in Energy Administration that might lead to a denial-of-service
CVE-2025-43204 – A vulnerability in RemoteViewServices that might permit an app to interrupt out of its sandbox
CVE-2025-43358 – A permissions vulnerability in Shortcuts that might permit a shortcut to bypass sandbox restrictions
CVE-2025-43333 – A permissions vulnerability in Highlight that might permit an app to achieve root privileges
CVE-2025-43304 – A race situation vulnerability in StorageKit that might permit an app to achieve root privileges
CVE-2025-48384 – A Git vulnerability in Xcode that might lead to distant code execution when cloning a maliciously crafted repository
Whereas there is no such thing as a proof that any of the aforementioned flaws have been weaponized in real-world assaults, it is at all times an excellent apply to maintain techniques up-to-date for optimum safety.
