Apple patches actively exploited ImageIO zero-day (CVE-2025-43300): update iOS/iPadOS/macOS now

By Ash K
Apple patches actively exploited ImageIO zero-day (CVE-2025-43300): update iOS/iPadOS/macOS now

What happened

Apple has shipped urgent security updates to address CVE-2025-43300, an out-of-bounds write in the ImageIO framework that can be triggered by a maliciously crafted image. Apple says it is aware of reports the vulnerability “may have been exploited” in targeted attacks, which elevates this to a true zero-day scenario.

Affected versions

  • iOS / iPadOS: Fixed in 18.6.2 (and 17.7.10 for devices staying on iOS 17).
  • macOS: Fixed in Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8.

Apple’s patch notes cite improved bounds checking in ImageIO to prevent memory corruption.

Why it matters

Image parsing bugs are especially dangerous because the exploit can be delivered through messaging apps, email, web content, or any workflow that triggers image rendering—often without additional user interaction. For high-risk users and enterprises, this class of bug is routinely used in targeted surveillance and credential-stealing campaigns.

Risk to your environment

  • Potential remote code execution on managed iOS/iPadOS/macOS endpoints.
  • Bypass of EDR visibility if the payload is embedded in image content delivered via encrypted channels.
  • Device-level persistence and lateral movement if administrative profiles or shared Apple IDs are in use.

Immediate actions (TL;DR)

  1. Patch today: Roll out iOS/iPadOS 18.6.2 (or 17.7.10), and macOS 15.6.1 / 14.7.8 / 13.7.8 via MDM or manual updates.
  2. High-risk users: Enable Lockdown Mode or equivalent hardening until patch saturation is confirmed.
  3. Hygiene: Block or quarantine unknown image attachments from untrusted senders; prefer link-based previews over inline rendering where possible.
  4. Monitor: Hunt for odd image processing activity and crashes in ImageIO-related processes.

Detection & hunting ideas

  • macOS: Review /var/log/system.log and Unified Logs for repeated crashes in ImageIO, Safari, Messages, Mail, or apps that thumbnail images shortly before network beacons.
  • Network: Flag spikes of image downloads from unfamiliar domains immediately preceding device instability.
  • MDM/EDR: Alert on repeated sandbox violations or abnormal memory protection faults in graphics and image frameworks.

Longer-term mitigations

  • Maintain fast-track channels for Apple emergency updates across mobile and desktop fleets.
  • Reduce automatic inline image rendering in email clients for high-risk groups.
  • Segment devices with elevated exposure (execs, researchers, incident responders) and enforce stricter content controls.

Timeline

  • Aug 2025: Apple ships fixes; exploitation reported in the wild.
  • Now: Enterprises should complete staging and push updates globally.

Bottom line

If you manage Apple devices, treat CVE-2025-43300 as an emergency. Prioritize update deployment, watch for suspicious image content, and harden high-risk user profiles until patch coverage is verified.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.