Apple Releases Emergency Patches for Zero-Day Vulnerability in WebKit Engine

Apple has released emergency patches to address a zero-day vulnerability in its WebKit engine. According to the company, the issue has already been exploited in "extremely sophisticated" attacks.

Identified as CVE-2025-24201, the vulnerability was discovered in the cross-platform WebKit engine, which is used in the Safari browser and many other apps and browsers across macOS, iOS, Linux, and Windows.

"This is an additional fix for an attack that was blocked in iOS 17.2," the company said. "Apple is aware that this issue could be used in iOS prior to iOS 17.2 as part of highly sophisticated attacks targeting specific individuals."

According to Apple, attackers can exploit CVE-2025-24201 using specially crafted web content, leading to a sandbox escape.

The company addressed this out-of-bound write issue by strengthening checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.

The latest zero-day vulnerability affects a variety of devices, including both old and new models:

• iPhone XS and later

• iPad Pro 13, 12.9-inch iPad Pro 3rd generation and later, 11-inch iPad Pro 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

• macOS Sequoia computers

• Apple Vision Pro

So far, Apple has not disclosed details on how this vulnerability was discovered or provided information about the "extremely sophisticated" attacks associated with CVE-2025-24201.

This vulnerability is the third zero-day issue fixed in 2025. The first zero-day vulnerability was addressed by Apple in January (CVE-2025-24085), and the second in February (CVE-2025-24200).