Apple on Monday announced patches for dozens of vulnerabilities across its mobile and desktop products, including an iOS flaw exploited in attacks as a zero-day.
Tracked as CVE-2025-24085, the exploited bug is described as a use-after-free issue in a CoreMedia component that could be exploited by malicious applications to elevate their privileges.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2,” the tech giant notes in its advisory.
Apple says the security defect was addressed with improved memory management, but did not share specific details on the flaw’s exploitation.
Patches for the vulnerability were also rolled out for macOS Sequoia, tvOS, visionOS, and watchOS, but Apple made no mention of exploitation attempts against these platforms.
iOS 18.3 and iPadOS 18.3 were released on Monday with fixes for CVE-2025-24085 and for 28 other bugs that could lead to authentication bypass, denial-of-service (DoS), arbitrary code execution, privilege escalation, user fingerprinting, system file modification, spoofing, information exposure, and command injection.
macOS Sequoia 15.3 was rolled out with fixes for CVE-2025-24085 and 60 other issues leading to similar outcomes. Apple also announced the release of macOS Sonoma 14.7.3 and macOS Ventura 13.7.3 with fixes for over 40 and 30 security defects, respectively.
On Monday, Apple released iPadOS 17.7.4 with 17 patches, tvOS 18.3 and watchOS 11.3 with 18 fixes, and visionOS 2.3 with 21 patches.
Additionally, the tech giant rolled out Safari 18.3 with fixes for seven vulnerabilities that could lead to browser extension authentication bypass, user interface spoofing, address bar spoofing, user fingerprinting, DoS, unexpected process crash, and command injection.
Users are advised to apply the available patches as soon as possible. Additional information can be found on Apple’s security releases page.
“In this release Apple addressed an actively exploited CoreMedia flaw that could have allowed cyber attackers to take control of targeted devices via a fake app pretending to play multimedia files, giving them access to their sensitive data,” Hackuity VP Sylvain Cortes said in an emailed comment.
“Users who don’t update from older iOS versions remain at risk of exploitation, including unauthorised data access, financial loss, and erosion of user privacy. These vulnerabilities could allow attackers to execute arbitrary code, access sensitive or confidential information and compromise the security of both personal and corporate data,” Cortes added.
Related: Apple Pushes Major iOS, macOS Security Updates
Related: New iOS Security Feature Reboots Devices to Protect User Data: Reports
Related: Apple Faces Critics Over Its Privacy Policies
Related: Apple Complains Meta Requests Risk Privacy in Spat Over EU Efforts to Widen Access to iPhone Tech
