Apple has urgently patched a zero-day vulnerability in WebKit, the engine powering the Safari web browser and many other apps.
Apple explains that hackers can craft malicious websites or other web content that escapes the Web Content sandbox, a built-in security protection. This potentially lets hackers access other parts of the system.
“This is a supplementary fix for an attack that was blocked in iOS 17.2. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2,” the advisory reads.
The vulnerability, tracked as CVE-2025-24201, is an out-of-bounds write issue. This means that data can be written to the wrong places in a device’s memory, which could lead to crashes or malicious code insertion. The flaw was addressed with improved checks to prevent unauthorized actions.
No official link to any threat actors has been confirmed. In the past, high-profile attacks on targeted individuals have sometimes involved sophisticated spyware like Pegasus.
Patches are available for iPhones XS and later, as well as Macs, iPads, Apple TVs, Apple Watches, and Vision Pro devices. The flaw affects all the latest versions of operating systems released before March 11th, 2025.
The vulnerability has been fixed in visionOS 2.3.2, iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and Safari 18.3.1. This marks Apple's third rapid security response for a wide range of devices this year.
Your email address will not be published. Required fields are markedmarked