Apple has pushed another update to its mobile operating systems, iOS and iPadOS, to address a newly-discovered zero-day that is already being exploited by threat actors in the wild to enable so-called zero-click attacks.
Tracked as CVE-2025-43300, the flaw is an out-of-bounds write issue in the ImageIO framework – which is used to enable applications to read and write the majority of image file formats.
If successfully exploited, processing a maliciously crafted-image file results in memory corruption on the target device.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” Apple said in its customarily sparse advisory.
The update, which takes iOS and iPadOS to version 18.6.2, addresses this problem with improved bounds checking.
Adam Boynton, senior security strategy manager for EMEIA at Jamf, an Apple device management specialist, explained that the flaw could potentially be used by threat actors to compromise the device and enable the execution of malicious code.
In these zero-click attacks, malicious payloads are generally delivered via channels such as text message, email, or messaging apps. These payloads contain data packets that are designed to trigger the vulnerability automatically, without any user interaction taking place – hence the term zero-click.
This stealthy methodology means zero-clicks are tricky for enterprise defenders to get to grips with, not least because they are hard to detect and bypass end-user training, but also because they often leave very little in terms of forensic evidence and can operate without setting off any security alerts.
Zero-click attacks have also been proven to be highly effective against high-value targets within businesses, and additionally for certain categories of organisations and individuals at risk of targeted cyber-espionage, such as non-governmental organisations (NGOs), journalists and media, and activists and politicians.
“Apple has indicated that this vulnerability has been exploited in sophisticated, targeted attacks, which typically focus on individuals with highly valued access or contacts, such as journalists, lawyers, activists, and government officials,” said Boynton.
“While Apple has not confirmed whether this specific flaw was linked to spyware, similar vulnerabilities in ImageIO and WebKit have previously been used in Pegasus campaigns.”
Mitigating zero-click attacks
Sylvain Cortes, vice president of strategy at Hackuity, a vulnerability management platform, said: “With the vulnerability being actively exploited, everyone should check their iPhones immediately. Organisations handling Apple devices need to be able to identify and update all affected devices immediately, especially if they operate in at-risk fields like the legal, media and public sectors.”
When responding to zero-click vulnerabilities, security professionals can help turn the odds in their favour not only by aggressively patching against them, but also by keeping up-to-date on threat intelligence, deploying defence-in-depth strategies with layered security protections, and introducing technologies such as micro-segmentation, endpoint detection and response (EDR) tools, and mobile device management (MDM) services.
Meanwhile, individual Apple users can check if their iPhones or iPads are running the updated version 18.6.2 by navigating to Settings, General, and Software Update on their devices.
The update to version 18.6.2 will likely be among the final releases to take place ahead of the anticipated unveiling of iOS 26, which still looks to be on track for mid-September. This will accompany the launch of the iPhone 17.
