Apple has issued a critical security update to address a zero-day vulnerability (CVE-2025-24201) that has been actively exploited in “extremely sophisticated” targeted attacks.

The flaw exists in WebKit, Apple’s web browser engine, and involves an out-of-bounds write issue that could potentially allow attackers to escape the Web Content sandbox through maliciously crafted web content. Apple has implemented improved checks to prevent unauthorized actions as part of the fix.

According to Apple, this update supplements a previous security measure implemented in iOS 17.2, noting that the vulnerability “may have been exploited in an extremely sophisticated attack against specific targeted individuals” on earlier iOS versions. The advisory provides no details about the attack timeline, targets, or whether the vulnerability was discovered internally or by external researchers.

## Affected Devices and Updates

The security patch is available for:
– iOS 18.3.2 and iPadOS 18.3.2 (iPhone XS and later, various iPad models)
– macOS Sequoia 15.3.2
– Safari 18.3.1 (for macOS Ventura and Sonoma)
– visionOS 2.3.2 (Apple Vision Pro)

This marks the third actively exploited zero-day vulnerability Apple has addressed in 2025, following CVE-2025-24085 and CVE-2025-24200.