Apple has issued an emergency security update for iPhone, iPad, and Mac users to patch a critical zero-day vulnerability that it said has already been exploited in the wild.
The out-of-bounds write vulnerability, designated CVE-2025-43300, was discovered by Apple security researchers and affects the Image I/O framework, which enables applications to read and write various different image file formats.
"Processing a malicious image file may result in memory corruption,” the tech giant said in an advisory.
An out-of-bounds write vulnerability occurs when attackers write data outside a program's allocated memory boundaries, potentially overwriting critical system information - in this case by sending a malicious image delivered via email, messaging apps or malicious websites.
If the victim opens the image, it could allow the attackers to carry out arbitrary code execution, potentially allowing them to take full control of an affected device and spy on users, steal data or install further malware.
The flaw affects the iPhone XS and later models, according to Apple. Devices impacted include:
- iPad Pro 13-inch
- iPad Pro 12.9-inch, 3rd generation and later
- iPad Pro 11-inch, 1st generation and later
- iPad Air, 3rd generation and later
- iPad 7th generation and later
- iPad mini, 5th generation and later
Worryingly, the flaw has already been exploited in the wild.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said - without giving any further details.
Apple urges users to update immediately
While this implies that the general public is unlikely to be targeted, Apple is advising users to install the new update, which includes improvements to bounds checking, immediately, via Settings, General and Software Update.
The chances are high that the successful attackers are nation-state actors. Similar exploits of Apple devices in the past have been linked to the use of spyware such as Israeli firm NSO Group's Pegasus software.
Already this year, Apple has patched five zero-days that have been exploited in the wild. These included:
- CVE-2025-24085
- CVE-2025-24200
- CVE-2025-24201
- CVE-2025-31200
- CVE-2025-31201
There were half a dozen more last year, figures show. The company also last month patched a Safari vulnerability - CVE-2025-6558 - residing in an open source component.
Google reported it had been exploited as a zero-day in the Chrome web browser.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Enterprise browsers: the new standard for security?In-depth The market for enterprise browsers is growing fast – but are their features and security controls enough to compete with free applications?
-
Unlocking technology value: the essential role of TBM in modern IT managementManage spend, optimize costs, and drive greater value from your technology investments with TBM
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
