Apple plugs security hole in its iThings that's already been exploited in iOS

Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug.

The vulnerability, tracked as CVE-2025-24085, is a use-after-free() flaw in the CoreMedia component common across iOS, macOS, and so forth that the iGiant says it fixed with improved memory management. CoreMedia is essentially the engine behind how Apple gear deals with audio and video.

We don't have much — or, really, any — information about how the bug is being abused in attacks and by whom, other than it can be used by a rogue app on someone's device to gain more control over the system and that it's been used against iOS devices. While more details will likely leak out in the coming days, as of now we know the vulnerability was exploited as a zero-day, making it Apple's first of 2025.

"A malicious application may be able to elevate privileges," Apple noted in five of its Monday security updates. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2."

Apple didn't credit a security researcher or group with finding CVE-2025-24085, and it's still awaiting a CVSS severity rating plus additional CVE record details. As details of the vulnerability are known to some, and patches are now available, it's wise to apply the fix to all affected devices in case someone decides to port the exploit from iOS to other Apple OSes to use against victims.

The flaw affects several iPhones and iPads, and iOS 18.3 and iPadOS 18.3 plug the hole in these products. The software update is available now for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

Also to fix the issue: Apple Vision Pro users should upgrade to visionOS 2.3; all models of Apple TV HD and Apple TV 4K should download tvOS 18.3; and anyone running Apple's macOS Sequoia operating system should update to macOS Sequoia version 15.3.

Plus anyone wearing an Apple Watch Series 6 or later is urged to update to watchOS 11.3.

The updates address way more bugs than CVE-2025-24085, it must be said. For instance, the now-fixed CVE-2025-24137 in iOS can be exploited via AirPlay to run code on a victim's device; CVE-2025-24145 can be used by an app to figure out the user's phone number from system logs; CVE-2025-24107 can be used by a rogue app to get root privileges (also in macOS 15, fixed in 15.3); and CVE-2025-24159 can be abused to run code with kernel privileges (also macOS 15). CVE-2025-24128 in Safari can be exploited to alter the address bar to make a malicious site look genuine.

Separately, macOS Sonoma 14.7.3 is out with various security fixes, including one for the kernel's CVE-2025-24159. Ventura 13.7.3 is also out with a collection of security patches. ®