Article Details

Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks. Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in "extremely sophisticated" attacks. The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component. It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox. Apple said it resolved the issue with improved checks to prevent unauthorized actions. It also noted that it's a supplementary fix for an attack that was blocked in iOS 17.2. Furthermore, it acknowledged that the vulnerability "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2." However, the advisory does not mention if Apple's own security team discovered the flaw or if it was reported to it by an external researcher. It also does not mention when the attacks began, how long they lasted, and who was targeted. The update is available for the following devices and operating system versions - With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year, the other two being CVE-2025-24085 and CVE-2025-24200.