What just happened? Apple has released an urgent software update to address a newly discovered security vulnerability that could allow attackers to compromise iPhones, iPads, and Mac computers through a malicious image file. The flaw, identified as CVE-2025-43300, affects multiple versions of Apple's operating systems and has already been linked to what the company describes as "extremely sophisticated attacks" aimed at selected individuals.
According to Apple, the issue lies within Image I/O, the company's framework for handling a wide range of image file formats. If a device processes a specially crafted image, it can trigger memory corruption. While Apple has not disclosed what specific outcomes this corruption might cause, security experts warn that memory corruption bugs often allow attackers to alter the execution of software, creating opportunities to install malicious code or exfiltrate data.
The company has not offered details on who might be behind the attacks, but the description suggests involvement of advanced threat actors, possibly spyware developers. Apple confirmed that users may be targeted through images delivered in text messages or emails, though it is not known how many individuals or organizations may already have been affected.
This is not the first time Apple has had to respond to a media file vulnerability across its platforms. Earlier this year, the company patched a flaw in its Core Audio framework that could also be exploited through crafted audio or video files. That vulnerability similarly relied on triggering a memory corruption bug to potentially enable malicious activity.
The latest fixes are available for a wide range of Apple devices. For iPhone, the patch is included in iOS 18.6.2 for models starting with the iPhone XS and newer. The updates are also available in iPadOS 18.6.2 and 17.7.10, as well as macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
Apple is advising all users to install the updates as soon as possible. On iPhone and iPad, the patches can be applied by navigating to Settings > General > Software Update. Devices with automatic updates enabled will receive the patch without further action.
Zero-day vulnerabilities have become an increasing concern for technology companies and their customers. Because these flaws are actively exploited before patches are released, they often pose the most serious security risks. While many details of CVE-2025-43300 remain unknown, Apple's disclosure makes clear that the exploit was observed in real-world attacks.
Apple issues emergency update to fix zero-day exploit in iPhone and macOS
