Apple Drops Another WebKit Zero-Day Bug - Dark Reading

Mobile SecurityCyberattacks & Data BreachesThreat IntelligenceVulnerabilities & ThreatsNewsApple Drops Another WebKit Zero-Day BugA threat actor leveraged the vulnerability in an "extremely sophisticated" attack on targeted iOS users, the company says.Jai Vijayan,Contributing WriterMarch 12, 20254 Min ReadSource: Alberto Garcia Guillen via ShutterstockFor the third time in as many months, Apple has released an emergency patch to fix an already exploited zero-day vulnerability impacting a wide range of its products.The new vulnerability, identified as CVE-2025-24201, exists in Apple's WebKit open source browser engine for rendering Web pages in Safari and other apps across macOS, iOS, and iPadOS. WebKit is a frequent target for attackers because of how deeply integrated it is with Apple's ecosystem.A Supplementary FixApple described the zero-day vulnerability as an out-of-bounds-write issue that the company has addressed in iOS 18.3.2, iPadOS 18.3.2, Safari 18.3.1, macOS Sequoia 15.3.2, and visionOS 2.3.2. "Maliciously crafted web content may be able to break out of Web Content sandbox," which is used to protect user data and system resources from compromised apps, Apple said. "This is a supplementary fix for an attack that was blocked in iOS 17.2."Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks?Affected products include iPhone XS and later, iPad Pro 13, 12.9-inch iPad Pro 3rd generation and later, 11-inch iPad Pro 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Also impacted are systems running macOS Sequoia and Apple Vision Pro.Apple's typically sparse bug disclosure noted that the company is aware of CVE-2025-24201 being exploited in "an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2," but left users in the dark on the details.Nation-State Actor?That's more or less the exact language Apple used to describe a zero-day vulnerability in February (CVE-2025-24200) that affected multiple iOS and iPadOS versions. Then, as now, Apple offered no details on the attacks that targeted the flaw beyond describing them as "extremely sophisticated." However, the fact that the bug discoverer was a researcher at The Citizen Lab at the University of Toronto's Munk School — an organization focused on government surveillance and spyware threats — suggested a nation-state actor may have been behind those attacks.In January, Apple disclosed another zero-day, CVE-2025-24085 that affected macOS, iOS, and multiple other Apple products. In that instance, the US Cybersecurity and Infrastructure Security Agency (CISA) added the use-after-free, elevation of privilege flaw to its known exploited vulnerability catalog, citing exploit activity. The fact that it has not done that yet with this week's new CVE-2025-24201 suggests that the attacks that Apple mentioned in its disclosure have been limited and targeted so far.Related:Supply Chain Attack Embeds Malware in Android DevicesSince 2023, Apple has disclosed a total of 17 zero-day bugs in WebKit that attackers have exploited in the wild. In some cases — such as CVE-2023-41064 and CVE-2023-41061 — the attackers were nation-state operatives deploying commercial spyware like Pegasus and Predator to target iPhone users.Complex to ExploitCVE-2025-24201 allows an attacker to craft malicious Web content capable of escaping the Web Content sandbox, potentially leading to the execution of arbitrary code on the device, says Adam Boynton, an Apple security expert and security researcher at Jamf. In a worst-case scenario, successful exploitation of this vulnerability could grant an attacker full control over an affected device, he says. It could allow them to install malware on a compromised device, steal sensitive data, escalate privileges, monitor user activity, and bypass security mechanisms to maintain persistence."The complexity of exploiting CVE-2025-24201 depends on the attacker's resources and technical expertise," Boynton says. "Crafting a reliable WebKit exploit requires deep knowledge of memory corruption techniques, browser internals, and bypassing modern security mitigations like Pointer Authentication Codes (PAC) and Control Flow Integrity (CFI)." It's highly unlikely that script kiddies and amateur hackers would be able to exploit a flaw like CVE-2025-24201 on their own, he adds.Related:Predator Spyware Sample Indicates 'Vendor-Controlled' C2Even advanced cybercriminals and nation-state actors will likely require a working exploit chain, Boynton notes. "WebKit vulnerabilities are often combined with additional exploits — (like) kernel privilege escalation — to achieve full device compromise," he says. "Once an exploit is developed, mass exploitation is relatively easy via malicious websites, watering-hole attacks, phishing emails, or infected advertisements."Users that cannot immediately apply Apple's patches for the flaw should enable capabilities to monitor for suspicious activity and block access to known malicious websites. Boynton says they should also enable content filtering to restrict access to untrusted and high-risk domains, enable Lockdown Mode, and avoid clicking on unverified links in emails, messages, or social media.About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space