Apple Addresses Actively-Exploited Zero-Day In WebKit Browser Engine

Security Affairs reports that updates have been released by Apple to resolve an out-of-bounds write zero-day vulnerability in its WebKit browser engine, tracked as CVE-2025-24201, which has already been leveraged in "extremely sophisticated" intrusions.

According to an Apple advisory, attacks exploiting the flaw could enable the creation of malicious content that could escape the Web Content sandbox. The flaw affects iPhone XS and later, iPad 7th generation and later, iPad mini 5th generation and later, iPad Air 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Pro 12.9-inch 3rd generation and later, and iPad Pro 13-inch, as well as Macs running macOS Sequoia and Apple Vision Pro.

The zero-day is the third one remediated by Apple so far this year. Immediate application of iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3 has been recommended by the firm, which did not provide additional details regarding the attacks.