- Apple corrects the CVE-2025-43300, an off-limit writing bug in iOS and iPados
- The bug has enabled the threats to execute distant code execution attacks
- There is evidence of abuse in the wild, so users should be on their care
Apple has corrected a bug in iOS and iPados which was apparently used in “an extremely sophisticated attack against specific targeted individuals”.
In a security notice, Apple declared that it has solved an out -of -limited writing problem that he found in the Imago Framework, which allows you to open, save and work with image files with files, including reading details such as Exif data or miniature creation.
An outstanding bug occurs when the software wrongly writes data beyond the memory area that it was supposed to. This can corrupt memory, crush applications and even allow threat actors to execute malicious code, remotely.
Hide the details of the crooks
Since the bug was found in Imageio, it allowed the specially designed images to overflow with memory checks and crush the adjacent data when processed. A threat actor could send a malicious image to an email, a message or a web page. If the vulnerable device should try to return it, the outlet writing could allow the attacker to crush the system, or even execute malicious software.
The bug is followed as CVE-2025-43300 and has no serious score yet. Apple has not discussed more results, in order to give everyone enough time to patcher, without giving other actors in the threat of knowledge about how to abuse them.
The devices affected by this defect include the iPhone XS and later, iPad Pro 13 inch, iPad Pro 12.9 inch 3rd generation and later, iPad Pro 11 inch of 1st generation and later, iPad Air 3rd generation and later, IPAD 7th generation and later, and iPad Mini 5th generation and later.
Apple corrected it by improving the verifications of the limits, in the iOS 18.6.2 and iPados 18.6.2, iPados 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8 and macOS Ventura 13.7.8.
This is the apple of vulnerability in the sixth day zero-day fixed since the beginning of 2025, Bleeping Compompute Reports, including CVE-2025-24085 (January), CVE-2025-24200 (February), CVE-2025-24201 (March) and two in April, CVE-2025-31200 and CVE-2025-31201.
Via Bleeping Compompute
