Apple fixed the third actively exploited zero-day of 2025

Apple has released emergency security updates to address CVE-2025-24201, a zero-day vulnerability in the WebKit browser engine that was exploited in “extremely sophisticated” targeted attacks. The out-of-bounds write issue could allow attackers using maliciously crafted web content to escape the Web Content sandbox. This update serves as a supplementary fix for an attack previously blocked in iOS 17.2. Apple addressed the vulnerability with improved checks in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. The flaw affects iPhone XS and later models, various iPad models, Macs running macOS Sequoia, and Apple Vision Pro. This marks Apple’s third zero-day vulnerability patched since the beginning of 2025.