Apple has recently issued security updates to address a critical vulnerability, identified as CVE-2025-43300, which has been actively exploited in sophisticated spyware attacks targeting specific individuals. This vulnerability, with a CVSS score of 8.8, resides in the ImageIO component and can lead to memory corruption when processing malicious image files.
Understanding CVE-2025-43300
CVE-2025-43300 is an out-of-bounds write issue within Apple’s ImageIO framework. This flaw allows attackers to craft malicious image files that, when processed by the affected system, can cause memory corruption. Such corruption can lead to unexpected application behavior, including crashes or, more critically, arbitrary code execution, potentially granting attackers unauthorized access to the device.
Exploitation in the Wild
Apple has acknowledged reports indicating that this vulnerability has been exploited in extremely sophisticated attacks against specific targeted individuals. The nature of these attacks suggests a high level of expertise and resources, often associated with state-sponsored actors or advanced persistent threats (APTs). The exact details of the exploitation, including the identity of the attackers and the specific targets, have not been disclosed.
WhatsApp’s Involvement
In a related development, WhatsApp identified a vulnerability in its messaging applications for iOS and macOS, designated as CVE-2025-55177 with a CVSS score of 5.4. This flaw, involving insufficient authorization of linked device synchronization messages, could allow an attacker to trigger processing of content from an arbitrary URL on a target’s device. WhatsApp reported that this vulnerability was exploited in conjunction with CVE-2025-43300 in highly targeted spyware attacks affecting fewer than 200 individuals. The attackers leveraged this combination to execute zero-click attacks, compromising devices without any user interaction.
Apple’s Response and Backporting Efforts
Initially, Apple addressed CVE-2025-43300 in late August 2025 with the release of updates for iOS 18.6.2, iPadOS 18.6.2, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1. Recognizing the severity of the vulnerability and its active exploitation, Apple has now extended these fixes to older operating system versions to protect users who have not yet upgraded to the latest releases. The backported updates are available for:
– iOS 16.7.12 and iPadOS 16.7.12: Applicable to iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation.
– iOS 15.8.5 and iPadOS 15.8.5: Covers iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
These updates are part of a broader release that includes iOS 26, iPadOS 26, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26. In addition to addressing CVE-2025-43300, these updates rectify several other security vulnerabilities, including:
– CVE-2025-31255: An authorization issue in IOKit that could allow an application to access sensitive data without proper permissions.
– CVE-2025-43362: A flaw in LaunchServices that could enable an application to monitor keystrokes without user consent.
– CVE-2025-43329: A permissions vulnerability in the Sandbox component that could allow an application to escape its sandbox environment.
– CVE-2025-31254: A vulnerability in Safari that could lead to unexpected URL redirection when processing maliciously crafted web content.
– CVE-2025-43272: A WebKit issue that could cause Safari to crash unexpectedly when handling malicious web content.
– CVE-2025-43285: A permissions flaw in AppSandbox that could allow an application to access protected user data.
– CVE-2025-43349: An out-of-bounds write issue in CoreAudio that could result in unexpected application termination when processing a maliciously crafted video file.
– CVE-2025-43316: A permissions vulnerability in DiskArbitration that could allow an application to gain root privileges.
– CVE-2025-43297: A type confusion vulnerability in Power Management that could lead to a denial-of-service condition.
– CVE-2025-43204: A flaw in RemoteViewServices that could allow an application to escape its sandbox.
– CVE-2025-43358: A permissions issue in Shortcuts that could allow a shortcut to bypass sandbox restrictions.
– CVE-2025-43333: A permissions vulnerability in Spotlight that could allow an application to gain root privileges.
– CVE-2025-43304: A race condition in StorageKit that could allow an application to gain root privileges.
– CVE-2025-48384: A Git vulnerability in Xcode that could result in remote code execution when cloning a maliciously crafted repository.
Recommendations for Users
Given the active exploitation of CVE-2025-43300 and its integration into sophisticated spyware campaigns, it is imperative for users to update their devices promptly. Users should:
1. Check for Updates: Navigate to the device’s settings to check for available software updates.
2. Install Updates: Download and install the latest updates to ensure all security patches are applied.
3. Stay Informed: Regularly monitor official communications from Apple and other trusted sources for information on security vulnerabilities and updates.
4. Exercise Caution: Be vigilant when receiving unsolicited messages or files, even from known contacts, as attackers may use social engineering tactics to exploit vulnerabilities.
By taking these steps, users can significantly reduce the risk of falling victim to attacks exploiting CVE-2025-43300 and other vulnerabilities.
