- Apple fixes CVE-2025-43300, one outside bounds writing bug in iOS and iPados
- The error enabled threat actors to run external code execution attack
- There are signs of abuse in nature so users need to be on their guard
Apple has corrected an error in iOS and iPados, which was apparently used in “an extremely sophisticated attack on specific targeted individuals”.
In a security advice, Apple said it fixed an out-of-bounds of writing problem it found in the Imageio frame, which lets apps open, save and work with image files effectively, including reading information such as EXIF data or creating miniature images.
An uneven error happens when software mistakenly writes data beyond the memory area it should. This can ruin memory, crash apps and even allow threat players to run malicious code externally.
Hides the details of the villains
When the error was found in Imageio, it enabled specially designed images to flood memory control and overwrite adjacent data when processed. A threat actor could send a malicious image in an E email, a message or a web page. If the vulnerable device was to try to reproduce it, the out-of-bound-writing may have let the striker go down the system or even run malware.
The error is traced as CVE-2025-43300 and does not yet have a difficulty. Apple did not discuss the conclusions further to give everyone enough time to patch without giving other threat actors knowledge of how to abuse it.
Devices affected by this error include iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st-Generation and later, iPad Air 3rd Generation and later, iPad 7 Generation and later and iPad Mini 5th Generation and later.
Apple fixed it by improving border controls in versions iOS 18.6.2 and iPados 18.6.2, iPados 17.7.10, MacOS Sequoia 15.6.1, MacOS Sonoma 14.7.8 and MacOS Ventura 13.7.8.
This is the sixth zero-day vulnerability attached since the beginning of 2025, Bleeping computer Reports including CVE-2025-24085 (January), CVE-2025-24200 (February), CVE-2025-24201 (March) and two in April, CVE-2025-31200 and CVE-2025-31201.
Via Bleeping computer
