CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-43300

CVSS 10.0v3.1pub. 2025-08-21upd. 2026-04-03

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12, iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, macOS Ventura 13.7.8. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

🤖 AI Analysis
How it works

The vulnerability (CWE-787) consists of a write error outside the permitted memory area during processing of a specially crafted image file. Insufficient bounds checking allows an attacker to perform controlled overwrites of process memory areas. Delivering a malicious file to the victim — for example via message, email, or website — may be sufficient to trigger the error without requiring user interaction beyond opening or viewing the file.

Impact

Successful exploitation of the vulnerability can lead to memory corruption, and consequently to arbitrary code execution (RCE) in the context of the attacked application or system. An attacker can gain full control over the device, including access to sensitive data, ability to compromise system integrity, and disruption of its availability.

Mitigation & patch

Systems must be immediately updated to the following versions containing the patch: iOS 18.6.2 / iPadOS 18.6.2, iOS 16.7.12 / iPadOS 16.7.12, iOS 15.8.5 / iPadOS 15.8.5, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, macOS Ventura 13.7.8. Details available in vendor references (support.apple.com).

Who is affected

iOS 15 before version 15.8.5, iOS 16 before version 16.7.12, iOS 17 (iPadOS) before version iPadOS 17.7.10, iOS 18 before version 18.6.2, iPadOS 15 before version 15.8.5, iPadOS 16 before version 16.7.12, iPadOS 18 before version 18.6.2, macOS Sequoia before version 15.6.1, macOS Sonoma before version 14.7.8, macOS Ventura before version 13.7.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Apple iPadOS

    OS
    Apple
    < 15.8.516.0 – 16.7.12 (bez)17.0 – 17.7.10 (bez)18.0 – 18.6.2 (bez)
  • Apple iOS

    OS
    Apple
    < 15.8.516.0 – 16.7.12 (bez)17.0 – 18.6.2 (bez)
  • Apple macOS

    OS
    Apple
    13.0 – 13.7.8 (bez)14.0 – 14.7.8 (bez)15.0 – 15.6.1 (bez)

CISA KEV — detailsi

Vendori
Apple
Producti
iOS, iPadOS, and macOS
Added to KEVi
August 21, 2025
Remediation deadline (US Federal)i
September 11, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 11 września 2025
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki

CVE-2025-24085CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Use-after-free w Apple iOS/iPadOS/macOS — privilege escalation przez aplikację