Apple releases major security updates addressing Zero-Day vulnerabilities and multiple security flaws
Take action: This one is very important and shouldn't be delayed. Apple has patched hundreds of flaws including three actively exploited. Apple considers the actively exploited flaws important enough to patch them even in old versions of the operating system. So don't delay, UPDATE YOUR APPLE DEVICES NOW!
Learn More
Apple has rolled out significant security updates across its ecosystem, addressing actively exploited zero-day vulnerabilities and backporting crucial fixes to older operating system versions. The updates span iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, resolving hundreds of security issues.
Critical Zero-Day Vulnerabilities Fixed
Three zero-day vulnerabilities that were actively exploited in targeted attacks have been addressed:
- CVE-2025-24200 (CVSS score: 4.6) - An authorization flaw allowing physical attackers to disable USB Restricted Mode on locked devices, potentially bypassing protections designed to halt unauthorized access to sensitive data.
- CVE-2025-24201 (CVSS score: 8.8) - An out-of-bounds write issue in WebKit that allows attackers to craft web content that could break out of the Web Content sandbox, potentially compromising the entire device.
- CVE-2025-24085 (CVSS score: 7.3) - A use-after-free vulnerability in Apple's CoreMedia framework enabling privilege escalation that could allow malicious applications to execute privileged actions.
Apple confirmed these vulnerabilities were exploited in "sophisticated attacks against specific users," with the WebKit bug specifically exploited against iOS versions older than 17.2.
Major Security Updates Released
iOS 18.4 and iPadOS 18.4 update resolves 77 vulnerabilities, including:
- CVE-2025-30456 (app sandbox bypass allowing root privilege escalation)
- CVE-2025-24097 (arbitrary file metadata access through AirDrop)
- CVE-2025-31182 (arbitrary file deletion)
- CVE-2025-24221 (keychain data leak in iOS backups that could expose passwords)
- CVE-2025-30430 (password autofill glitch allowing passwords to autofill without authentication)
- CVE-2025-30428 (hidden photos vulnerability allowing access without passcode)
macOS Sequoia 15.4 update resolves 131 vulnerabilities in this update, including:
- CVE-2025-24228 (arbitrary code execution with kernel privileges)
- CVE-2025-24267 (privilege escalation to root)
- CVE-2025-24178 (sandbox escape)
- CVE-2025-24257 (kernel exploits allowing hackers to run code with high-level access)
- CVE-2025-24278 (weakness allowing apps to access protected files)
Safari 18.4 update addresses 14 flaws including:
- CVE-2025-24213 (WebKit memory corruption)
- CVE-2025-30427 (WebKit use-after-free)
- CVE-2025-24180 (WebAuthn credential confusion)
- CVE-2025-24264 (multiple WebKit vulnerabilities enabling website crashes or code execution)
Backporting to Older Systems
Apple has backported fixes for the three actively exploited vulnerabilities to older devices:
- iOS 15.8.4 and iPadOS 15.8.4 (iPhone 6s, iPhone 7, iPhone SE 1st gen, iPad Air 2, iPad mini 4th gen, iPod touch 7th gen)
- iOS 16.7.11 and iPadOS 16.7.11 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th gen, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st gen)
- iPadOS 17.7.6 (iPad Pro 12.9-inch 2nd gen, iPad Pro 10.5-inch, iPad 6th gen)
- macOS Sonoma 14.7.5 and Ventura 13.7.5
Users should update all Apple devices immediately and enable automatic updates for future security patches. Also, avoid installing unverified applications or suspicious browser extensions and consider enabling Lockdown Mode on supported devices for maximum security.
