"Apple has pushed another update to its mobile operating systems, iOS and iPadOS, to address a newly-discovered zero-day that is already being exploited by threat actors in the wild to enable so-called zero-click attacks. Tracked as CVE-2025-43300, the flaw is an out-of-bounds write issue in the ImageIO framework - which is used to enable applications to read and write the majority of image file formats. If successfully exploited, processing a maliciously crafted-image file results in memory corruption on the target device."
"The update, which takes iOS and iPadOS to version 18.6.2, addresses this problem with improved bounds checking. Adam Boynton, senior security strategy manager for EMEIA at Jamf, an Apple device management specialist, explained that the flaw could potentially be used by threat actors to compromise the device and enable the execution of malicious code. In these zero-click attacks, malicious payloads are generally delivered via channels such as text message, email, or messaging apps."
"This stealthy methodology means zero-clicks are tricky for enterprise defenders to get to grips with, not least because they are hard to detect and bypass end-user training, but also because they often leave very little in terms of forensic evidence and can operate without setting off any security alerts. Zero-click attacks have also been proven to be highly effective against high-value targets within businesses,"
Apple released iOS and iPadOS 18.6.2 to patch CVE-2025-43300, an out-of-bounds write vulnerability in the ImageIO framework that can cause memory corruption when processing maliciously crafted image files. The flaw enables zero-click attacks that can trigger automatically via messages, email, or messaging apps without any user interaction, potentially allowing threat actors to execute malicious code and compromise devices. The update implements improved bounds checking in ImageIO. Zero-click attacks are difficult to detect, often leave minimal forensic evidence, and can bypass user training, increasing risk for high-value targets such as NGOs, journalists, activists, and other at-risk organisations and individuals.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]