Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild.
The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said.
Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300 as part of highly-targeted spyware attacks aimed at less than 200 individuals.
While the shortcoming was first addressed by the iPhone maker late last month with the release of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has also been released for the following older versions –
- iOS 16.7.12 and iPadOS 16.7.12 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
- iOS 15.8.5 and iPadOS 15.8.5 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
The updates have been rolled out alongside iOS 26, iPadOS 26, iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26, which also address a number of other security flaws –
- CVE-2025-31255 – An authorization vulnerability in IOKit that could allow an app to access sensitive data
- CVE-2025-43362 – A vulnerability in LaunchServices that could allow an app to monitor keystrokes without user permission
- CVE-2025-43329 – A permissions vulnerability in Sandbox that could allow an app to break out of its sandbox
- CVE-2025-31254 – A vulnerability in Safari that could result in unexpected URL redirection when processing maliciously crafted web content
- CVE-2025-43272 – A vulnerability in WebKit that could result in unexpected Safari crash when processing maliciously crafted web content
- CVE-2025-43285 – A permissions vulnerability in AppSandbox that could allow an app to access protected user data
- CVE-2025-43349 – An out-of-bounds write issue in CoreAudio that could result in unexpected app termination when processing a maliciously crafted video file
- CVE-2025-43316 – A permissions vulnerability in DiskArbitration that could allow an app to gain root privileges
- CVE-2025-43297 – A type confusion vulnerability in Power Management that could result in a denial-of-service
- CVE-2025-43204 – A vulnerability in RemoteViewServices that could allow an app to break out of its sandbox
- CVE-2025-43358 – A permissions vulnerability in Shortcuts that could allow a shortcut to bypass sandbox restrictions
- CVE-2025-43333 – A permissions vulnerability in Spotlight that could allow an app to gain root privileges
- CVE-2025-43304 – A race condition vulnerability in StorageKit that could allow an app to gain root privileges
- CVE-2025-48384 – A Git vulnerability in Xcode that could result in remote code execution when cloning a maliciously crafted repository
While there is no evidence that any of the aforementioned flaws have been weaponized in real-world attacks, it’s always a good practice to keep systems up-to-date for optimal protection.
