Critical vulnerabilities in Apple 2025
Critical vulnerability 16/09
Introduction
CVE-2025-43300 is an out-of-bounds write vulnerability in the ImageIO component of Apple operating systems (iOS, iPadOS, and macOS). When processing a maliciously crafted image, this flaw could lead to memory corruption, opening the door to arbitrary code execution.
Analysis
CVE-2025-43300 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - 8.8
This is a critical flaw because all the victim needs to do is open, download, or even receive a manipulated image for the flaw to be activated, without any additional interaction. This attack vector makes it particularly attractive for espionage campaigns or targeted attacks. Apple confirmed that the vulnerability has been actively exploited in real-world environments, suggesting that it is being used by actors with advanced capabilities, possibly in digital surveillance operations against high-profile targets.
Affected versions
- iOS 16.7.12 and iPadOS 16.7.12: iPhone 8, iPhone 8 Plus, iPhone X, fifth-generation iPad, 9.7-inch iPad Pro, and first-generation 12.9-inch iPad Pro
- iOS 15.8.5 and iPadOS 15.8.5: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- iOS 26, iPadOS 26, iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26
Recommendations
It is recommended to apply the company's patch.
Workarounds
There are no workarounds for this vulnerability.