CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-24201

CVSS 10.0v3.1pub. 2025-03-11upd. 2026-04-03

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

🤖 AI Analysis
How it works

The flaw involves an out-of-bounds write in allocated memory buffer in the WebKit engine during processing of maliciously crafted web content. Insufficient control mechanisms allow an attacker to perform unauthorized memory operations, resulting in escape from the isolated Web Content process (sandbox escape). Apple indicates this is a supplementary security fix for an attack that was previously blocked in iOS 17.2 — this means the original attack vector was known earlier, but could be bypassed on older system versions.

Impact

An attacker can break out of the browser process isolation (sandbox escape), which could consequently lead to unauthorized access to the operating system, compromise of confidentiality, integrity, and availability of data on the victim's device.

Mitigation & patch

Update immediately to the following versions: Safari 18.3.1, iOS 18.3.2 / iPadOS 18.3.2, iOS 16.7.11 / iPadOS 16.7.11, iOS 15.8.4 / iPadOS 15.8.4, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Updates are available through standard Apple update mechanisms.

Who is affected

Apple Safari (before 18.3.1), iOS and iPadOS (before 18.3.2, 16.7.11, 15.8.4), iPadOS 17.7.6, macOS Sequoia (before 15.3.2), visionOS (before 2.3.2), watchOS (before 11.4). Active exploitation confirmed on iOS versions earlier than iOS 17.2.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Apple iPadOS

    OS
    Apple
    18.0 – 18.3.2 (bez)15.8 – 15.8.4 (bez)16.7 – 16.7.11 (bez)17.0 – 17.7.6 (bez)
  • Apple iOS

    OS
    Apple
    15.8 – 15.8.4 (bez)17.0 – 18.3.2 (bez)16.7 – 16.7.11 (bez)
  • Apple macOS

    OS
    Apple
    15.0 – 15.3.2 (bez)
  • Apple Safari

    APP
    Apple
    < 18.3.1
  • Apple Visionos

    OS
    Apple
    < 2.3.2
  • Apple watchOS

    OS
    Apple
    < 11.4
  • Debian

    OS
    Debian
    11.0

CISA KEV — detailsi

Vendori
Apple
Producti
Multiple Products
Added to KEVi
March 13, 2025
Remediation deadline (US Federal)i
April 3, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 kwietnia 2025
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)