Apple has released emergency security updates to eliminate Zero-Day, which used high complexity attacks.
Vulnerability cve-2025-24201 was found in the Webkit engine, which is used in the safari browser, as well as in many other applications and browsers on MacOS, iOS, Linux and Windows platforms. According to Apple, vulnerability is associated with an error of exiting the boundaries of the array (out-boundsless) And it can allow attackers to go beyond the Web Content sandbox when opening a specially formed web content.
Error is an additional measure of protection to an previously blocked attack in iOS 17.2. The company emphasized that the problem could be used in target attacks against individual users on earlier iOS versions released until 17.2. To correct the vulnerability, improved checks in updates iOS 18.3.2, iPados 18.3.2, macOS sequoia 15.3.2, VisionOS 2.3.2 and Sapari 18.3.1.
At the risk zone were both new and older Apple devices, including:
- iPhone XS and later models;
- iPad Pro (starting with the 3rd generation of the 12.9-inch version and 1st generation of the 11-inch version);
- iPad Air (from the 3rd generation);
- iPad (from the 7th generation);
- iPad mini (from the 5th generation);
- Mac computers under the control of the MacOS Sequoia;
- Apple Vision Pro.
The company has not yet announced who the vulnerability was discovered,