Apple on Wednesday rushed security updates across its mobile and desktop operating systems to resolve a zero-day vulnerability exploited in highly targeted attacks.
Tracked as CVE-2025-43300, the security defect is described as an out-of-bounds write bug affecting the ImageIO framework used in iOS, iPadOS, and macOS products.
“Processing a malicious image file may result in memory corruption,” Apple explains in its advisory, noting that improved bounds checking was implemented to address the flaw.
The Cupertino-based tech giant also noted that the vulnerability was exploited in the wild, but refrained from providing specific information on the observed attacks.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the barebone advisory reads.
The company’s wording suggests that the vulnerability might have been exploited by a commercial spyware vendor.
According to the advisory, CVE-2025-43300 was discovered internally by Apple, which means that details on the bug and its exploitation might not be published soon.
Patches for the security hole were included in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
Although Apple says the flaw was exploited in highly targeted attacks, all users are advised to update their devices as soon as possible. Additional information can be found on the Apple security releases page.
The tech company kicked off 2025 with patches for an iOS zero-day, and released patches for other exploited flaws in February, March, and April. In late July, it resolved a Safari vulnerability that had been exploited against Chrome users.
Related: Elastic Refutes Claims of Zero-Day in EDR Product
Related: Photo-Stealing Spyware Sneaks Into Apple App Store, Google Play
Related: Apple Patches Major Security Flaws in iOS, macOS Platforms
Related: Gabbard Says UK Scraps Demand for Apple to Give Backdoor Access to Data
