Name of the Vulnerable Software and Affected Versions
Apple iOS, iPadOS, macOS versions prior to 18.6.2, 17.7.10, and 15.6.1 (Sequoia)
Description
Apple addressed a critical zero-day vulnerability (CVE-2025-43300) in the ImageIO framework, which allows for remote code execution (RCE) via a maliciously crafted image file. This vulnerability has been actively exploited in targeted attacks, potentially leading to device compromise and data theft, including cryptocurrency wallets. The flaw is an out-of-bounds write issue in the ImageIO component, triggered by processing a malicious image, and does not require user interaction. Reports indicate that this vulnerability was used in sophisticated attacks, potentially in combination with other exploits. The vulnerability affects iPhones, iPads, and Macs.
Recommendations
Update all affected Apple devices to the latest versions: iOS 18.6.2, iPadOS 18.6.2 or 17.7.10, and macOS Sequoia 15.6.1 or Sonoma 14.7.8.