Apple has released urgent security updates to address a zero-day vulnerability (CVE-2025-24201) that was exploited in what the company describes as “extremely sophisticated” targeted attacks. The flaw exists in WebKit, the browser engine powering Safari and numerous other applications across Apple’s ecosystem.

“This is a supplementary fix for an attack that was blocked in iOS 17.2,” Apple stated in Tuesday’s security advisories. The vulnerability allowed attackers to use maliciously crafted web content to escape the Web Content sandbox through an out-of-bounds write issue.

## Affected Devices

The security updates have been deployed across multiple platforms:
– iOS 18.3.2 and iPadOS 18.3.2
– macOS Sequoia 15.3.2
– visionOS 2.3.2
– Safari 18.3.1

Impacted devices include iPhone XS and later models, various iPad Pro, iPad Air, and iPad mini generations, Macs running macOS Sequoia, and Apple Vision Pro.

## Security Context

This marks Apple’s third zero-day patch in 2025, following fixes in January (CVE-2025-24085) and February (CVE-2025-24200). The company addressed six zero-days throughout 2023, a significant decrease from the 20 zero-day vulnerabilities patched in 2022.

While Apple has not attributed the discovery to specific researchers or provided details about the attacks, users are strongly encouraged to install the updates immediately to protect against potential ongoing exploitation attempts.