Apple patches critical WebKit Vulnerability exploited in "Extremely Sophisticated" attacks
Take action: It's time to update your Apple devices. There is an actively exploited flaw in all Apple operating systems - currently probably abused by agencies. But it's just a matter of time before its abused by all kinds of spyware and hackers. Don't delay, the patch is fairly quick - an iPhone got updated while we were writing this post.
Learn More
Apple has released an emergency security updates to address a critical zero-day vulnerability in the WebKit browser engine that powers Safari and other applications across Apple's ecosystem.
The vulnerability is tracked as CVE-2025-24201 (CVSS score 9.8) is an out-of-bounds write issue in WebKit that could allow attackers to break out of the Web Content sandbox using maliciously crafted web content. Apple notes this is a "supplementary fix for an attack that was blocked in iOS 17.2," suggesting earlier mitigation attempts were incomplete. Apparently it was exploited in what Apple describes as "extremely sophisticated" targeted attacks.
The vulnerability impacts the entire Apple ecosystem of devices:
- iPhone XS and later
- iPad Pro 13-inch
- iPad Pro 12.9-inch 3rd generation and later
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 7th generation and later
- iPad mini 5th generation and later
- Macs running macOS Sequoia
- Apple Vision Pro
Apple has addressed this vulnerability in the following updates:
- iOS 18.3.2
- iPadOS 18.3.2
- macOS Sequoia 15.3.2
- visionOS 2.3.2
- Safari 18.3.1
The company has not provided details about the attack campaigns or their perpetrators. Security experts suggest that users facing the highest risk are likely targets of well-funded law enforcement agencies or nation-state threat actors.
Although the attacks appear to have been highly targeted rather than opportunistic, security professionals recommend installing these updates immediately.
