Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update now

Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability

Apple logo pictured on a storefront in Hangzhou city, Zhejiang province, China.
(Image credit: Getty Images)
Emma Woollacott's avatar
By
published
in News

Apple has issued an emergency security update for iPhone, iPad, and Mac users to patch a critical zero-day vulnerability that it said has already been exploited in the wild.

The out-of-bounds write vulnerability, designated CVE-2025-43300, was discovered by Apple security researchers and affects the Image I/O framework, which enables applications to read and write various different image file formats.

"Processing a malicious image file may result in memory corruption,” the tech giant said in an advisory.

An out-of-bounds write vulnerability occurs when attackers write data outside a program's allocated memory boundaries, potentially overwriting critical system information - in this case by sending a malicious image delivered via email, messaging apps or malicious websites.

If the victim opens the image, it could allow the attackers to carry out arbitrary code execution, potentially allowing them to take full control of an affected device and spy on users, steal data or install further malware.

The flaw affects the iPhone XS and later models, according to Apple. Devices impacted include:

  • iPad Pro 13-inch
  • iPad Pro 12.9-inch, 3rd generation and later
  • iPad Pro 11-inch, 1st generation and later
  • iPad Air, 3rd generation and later
  • iPad 7th generation and later
  • iPad mini, 5th generation and later

Worryingly, the flaw has already been exploited in the wild.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said - without giving any further details.

Apple urges users to update immediately

While this implies that the general public is unlikely to be targeted, Apple is advising users to install the new update, which includes improvements to bounds checking, immediately, via Settings, General and Software Update.

The chances are high that the successful attackers are nation-state actors. Similar exploits of Apple devices in the past have been linked to the use of spyware such as Israeli firm NSO Group's Pegasus software.

Already this year, Apple has patched five zero-days that have been exploited in the wild. These included:

  • CVE-2025-24085
  • CVE-2025-24200
  • CVE-2025-24201
  • CVE-2025-31200
  • CVE-2025-31201

There were half a dozen more last year, figures show. The company also last month patched a Safari vulnerability - CVE-2025-6558 - residing in an open source component.

Google reported it had been exploited as a zero-day in the Chrome web browser.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸