Three zero-day vulnerabilities have left Apple users exposed to what the tech giant calls “extremely sophisticated” attacks. The flaws, tracked as CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, were actively exploited before Apple could release patches. Talk about terrible timing.
These vulnerabilities affected pretty much everything Apple makes – iPhones, iPads, Macs, Apple Watches, and even the fancy new Vision Pro.
No Apple device was left unscathed—from your pocket to your wrist, everything in the Apple ecosystem was vulnerable.
The attacks weren’t random. They targeted specific individuals, suggesting state-sponsored actors were behind them. No surprise there. One vulnerability let attackers bypass USB Restricted Mode on locked devices – you know, that feature that’s supposed to keep your data safe when someone gets physical access to your phone.
Another flaw in WebKit (Safari’s engine) allowed hackers to escape the Web Content sandbox. The third vulnerability? A use-after-free issue in CoreMedia that enabled privilege escalation. The WebKit vulnerability was specifically designated as CVE-2025-24201 and involves an out-of-bounds write vulnerability that can be exploited through maliciously crafted web content.
Apple didn’t waste time addressing these threats. They pushed out emergency patches faster than you can say “zero-day.” iPhone and iPad users need iOS 18.3, Mac users need macOS Sequoia 15.3, and Apple Watch users need watchOS 11.3.
Apple TV and Vision Pro users aren’t off the hook either – updates available for those too.
This isn’t Apple’s first rodeo with zero-days. WebKit has been a favorite target for sophisticated attacks for years. Experts strongly recommend enabling Automatic Updates for future security fixes to stay protected. Remember FORCEDENTRY? That nasty exploit bypassed Apple’s “BlastDoor” protections and helped deploy Pegasus spyware. Journalists and activists often end up in the crosshairs of these attacks. Not cool.
The technical details remain sparse – Apple keeps them under wraps to avoid helping the bad guys. Smart move. But the high CVSS scores (8.1 and 7.8 for two of them) tell us enough. These were serious.
Lockdown Mode might help users at high risk, but it’s no silver bullet. The truth is, even Apple’s walled garden isn’t impenetrable. These zero-days prove it. The cat-and-mouse game between Apple and attackers isn’t ending anytime soon.
For now, update your devices. Like, yesterday. Because somewhere, sophisticated attackers are already looking for their next way in. And they’re probably finding it.
