Article Details

Apple fixes new zero-day flaw exploited in targeted attacks. Apple has released emergency updates to patch another zero-day vulnerability that was exploited in an "extremely sophisticated attack." Tracked as CVE-2025-43300, this security flaw is caused by an out-of-bounds write weakness discovered by Apple security researchers in the Image I/O framework, which enables applications to read and write most image file formats. An out-of-bounds write occurs when attackers successfully exploit such vulnerabilities by supplying input to a program, causing it to write data outside the allocated memory buffer, which can lead to the program crashing, corrupting data, or, in the worst-case scenario, allowing remote code execution. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company revealed in security advisories issued on Wednesday. "An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption." Apple has addressed this issue with improved bounds checking to prevent exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The complete list of devices impacted by this zero-day vulnerability is extensive, as the bug impacts both older and newer models, including: The company has yet to attribute the discovery to one of its researchers and has not yet published details regarding the attacks it described as "extremely sophisticated." While this flaw is likely only exploited in highly targeted attacks, it is strongly advised to install today's security updates promptly to prevent any potential ongoing attacks. With this vulnerability, Apple has fixed a total of six zero-days exploited in the wild since the start of the year, the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201). In 2024, the company has patched six other actively exploited zero-days: one in January, two in March, a fourth in May, and two others in November. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.