Apple has issued an emergency security update for iPhone, iPad, and Mac users to patch a critical zero-day vulnerability that it said has already been exploited in the wild.
The out-of-bounds write vulnerability, designated CVE-2025-43300, was discovered by Apple security researchers and affects the Image I/O framework, which enables applications to read and write various different image file formats.
"Processing a malicious image file may result in memory corruption,” the tech giant said in an advisory.
An out-of-bounds write vulnerability occurs when attackers write data outside a program's allocated memory boundaries, potentially overwriting critical system information - in this case by sending a malicious image delivered via email, messaging apps or malicious websites.
If the victim opens the image, it could allow the attackers to carry out arbitrary code execution, potentially allowing them to take full control of an affected device and spy on users, steal data or install further malware.
The flaw affects the iPhone XS and later models, according to Apple. Devices impacted include:
- iPad Pro 13-inch
- iPad Pro 12.9-inch, 3rd generation and later
- iPad Pro 11-inch, 1st generation and later
- iPad Air, 3rd generation and later
- iPad 7th generation and later
- iPad mini, 5th generation and later
Worryingly, the flaw has already been exploited in the wild.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said - without giving any further details.
Apple urges users to update immediately
While this implies that the general public is unlikely to be targeted, Apple is advising users to install the new update, which includes improvements to bounds checking, immediately, via Settings, General and Software Update.
The chances are high that the successful attackers are nation-state actors. Similar exploits of Apple devices in the past have been linked to the use of spyware such as Israeli firm NSO Group's Pegasus software.
Already this year, Apple has patched five zero-days that have been exploited in the wild. These included:
- CVE-2025-24085
- CVE-2025-24200
- CVE-2025-24201
- CVE-2025-31200
- CVE-2025-31201
There were half a dozen more last year, figures show. The company also last month patched a Safari vulnerability - CVE-2025-6558 - residing in an open source component.
Google reported it had been exploited as a zero-day in the Chrome web browser.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Google's new Jules coding agent is free to use for anyone – and it just got a big new update to prevent bad code outputNews Jules came out of beta and launched publicly earlier this month, but it's already had a big update aimed at improving code quality and safety.
-
What is cluster computing and how it can help your enterprise?Explainer Knowing what cluster computing is – and isn't – is the first step towards understanding its advantages
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Rapper Bot was ‘one of the most powerful DDoS botnets to ever exist’ – now it’s done and dustedNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
‘Hugely significant’: Experts welcome UK government plans to back down in Apple encryption battle – but it’s not quite over yetNews Tulsi Gabbard, US director of national intelligence, has confirmed the UK plans to back down on plans that would see Apple forced to create a "back door" for authorities.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
