CVE-2025-43300 affects Apple Products

---

Vulnerability Summary

CVE-2025-43300 is a zero-day out-of-bounds write vulnerability in the ImageIO framework used by Apple devices. ImageIO is responsible for decoding and processing multiple image formats, making it a frequent target vector for remote exploitation due to the wide attack surface exposed by handling untrusted image files.

Vulnerability Details

• Type: Out-of-bounds write, leading to memory corruption.
• Location: ImageIO framework (affecting iOS, iPadOS, macOS)
• Trigger: A specially crafted image file processed by ImageIO can cause memory boundaries to be overwritten by attacker-controlled data.
• Potential Impact: With successful exploitation, attackers may execute arbitrary code on the victim device. This can lead to full device compromise, installation of spyware, or unauthorized data.

Exploit Mechanics

• Initial Vector: Remote attacker sends or hosts a malicious image (such as a JPEG or PNG).
• Trigger Scenario: User may encounter the image via email, website, app, or any messaging platform that previews images. Exploit does not require interaction beyond the image being processed.
• Attack Complexity: The attack leverages sophisticated image payloads to trigger the memory overwrite, bypassing standard mitigations in the framework. There is evidence this vulnerability was used in highly targeted attacks, likely requiring significant skill and resources.

Apple’s Remediation

• Patch Release Date: August 19–21, 2025
• Patched OS Versions:
  • iOS: 18.6.2
  • iPadOS: 18.6.2, 17.7.10 (specific legacy models)
  • macOS Sequoia: 15.6.1
  • macOS Sonoma: 14.7.8
  • macOS Ventura: 13.7.8
• Patch Approach: Apple improved bounds checking and memory validation within ImageIO, preventing the crafted image from causing writes outside intended memory regions.

Affected Devices (Per Apple and CISA)

• iPhone XS and later iOS 18.6.2
• iPad Pro All recent generations
• iPadOS 18.6.2, 17.7.10
• iPad 7th gen and later
• iPadOS 18.6.2, 17.7.10
• iPad Air 3rd gen and later
• iPadOS 18.6.2
• iPad mini 5th gen and later
• iPadOS 18.6.2 macOS Sonoma, Ventura, Sequoia Sonoma 14.7.8, Ventura 13.7.8, Sequoia 15.6.1

Threat Intelligence

• Exploitation in the Wild: Confirmed. Attackers leveraged CVE-2025-43300 as part of advanced campaigns targeting select individuals, likely for surveillance or espionage. Apple and independent researchers observed sophisticated use, possibly linked to state-sponsored or criminal actors.
• CISA KEV Listing: CISA has flagged the CVE as actively exploited and urged immediate updates for all managed Apple devices[4].
• No Public Exploit: As of the patch release, there is no public exploit code circulating, though this status could change.

Mitigation Steps

• Immediate Patching: All users and organizations should update devices to the latest OS version as soon as possible. Prioritize endpoints handling sensitive data or exposed to external image files.
• Detection: There are currently no widespread detection signatures for exploitation, but network monitoring of unusual image transfers and endpoint response anomalies could aid future investigations.
• Policy: Consider application controls or network segmentation for unpatched endpoints, if patching cannot be completed rapidly.

Analyst Notes

• Images as a vector: The vulnerability underscores the risk of untrusted images delivered from email, apps, and web platforms even without user click-based interaction.
• Out-of-bounds Write Risks: Such vulnerabilities often lead to robust exploitation paths due to ability to control memory layout, especially in high-value platforms like Apple’s.
• Patch Urgency: Prompt response is justified not only by confirmed exploitation but by the complexity and silent nature of image-based attacks.