Apple has fixed a dangerous zero-day vulnerability in Safari’s WebKit engine with an emergency patch. The tech giant indicated that the vulnerability has already been exploited in highly sophisticated attacks.
Apple says the emergency patch complements an earlier fix in iOS 17.2. The vulnerability, CVE-2025-24201, was found in the WebKit cross-platform engine of its Safari browser and in applications on other operating systems, such as macOS, Linux, and Windows.
Through the out-of-bounds write vulnerability, attackers can break out of the Web Content sandbox with malicious content. In particular, these were targeted attacks against iOS users with versions that had not yet received the v17.2 update. According to the tech giant, these advanced attacks are said to have been common.
Patch running quickly
The patch now released at least ensures that iOS version 18.3.2 is protected against these attacks. iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2 and Safari 18.3.1 are also protected.
Vulnerable devices are:
- iPhone XS and later models;
- iPad Pro 13-inch, iPad Pro 12.9-inch (third generation and newer), iPad Pro 11-inch (first generation and newer), iPad Air (third generation and newer), iPad (seventh generation and newer) and iPad mini (fifth generation and newer);
- Macs running macOS Sequoia;
- Apple Vision Pro.
Apple advises every iPhone, iPad, MacBook and Vision Pro user to install the update immediately.
Already two fixes in 2025
The patch is not the first released by the tech giant this year. Patches have also been released in recent months. In January, it concerned CVE-2025-24085, and in February, it concerned CVE-2025-24200. A total of six patches were issued by Apple in 2024.
Also read: Apple fixes zero-day affecting iPhones, Macs and more