Apple Patches WebKit Zero-Day Exploited in Targeted Attacks

Apple has released a security update to patch a zero-day vulnerability that has been actively exploited in what it describes as “extremely sophisticated” attacks.

The flaw, identified as CVE-2025-24201, resides in the WebKit browser engine and is classified as an out-of-bounds write issue. Attackers could leverage this vulnerability to craft malicious web content capable of escaping the Web Content sandbox.

Apple addressed the issue by implementing improved validation checks. The company also clarified that this fix is an extension of a previous mitigation introduced in iOS 17.2. It further noted that the exploit may have been used in targeted attacks against specific individuals running iOS versions prior to 17.2.

However, Apple did not disclose details about when the attacks began, their duration, or the identity of the affected targets. The advisory also does not specify whether the vulnerability was discovered internally or reported by an external researcher.

Devices and OS Versions Receiving the Update:

• iOS 18.3.2 / iPadOS 18.3.2 – iPhone XS and later, iPad Pro (13-inch, 12.9-inch 3rd gen and later, 11-inch 1st gen and later), iPad Air (3rd gen and later), iPad (7th gen and later), iPad mini (5th gen and later)
• macOS Sequoia 15.3.2 – Macs running macOS Sequoia
• Safari 18.3.1 – Macs running macOS Ventura and macOS Sonoma
• visionOS 2.3.2 – Apple Vision Pro

With this latest fix, Apple has now patched three actively exploited zero-days in its software this year, the previous two being CVE-2025-24085 and CVE-2025-24200.