A critical zero-day vulnerability, CVE-2025-24085, has been actively exploited in the wild, affecting multiple Apple products including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The flaw, which has been assigned a maximum CVSS score of 10, involves a use-after-free issue in Apple's Core Media framework. This vulnerability allows a malicious application to potentially elevate its privileges, posing a significant risk to users.
The vulnerability was disclosed on January 27, 2025, and was swiftly added to CISA's Known Exploited Vulnerabilities (KEV) catalog by January 29, 2025, underscoring its critical nature. The exploitation of this flaw was detected within just over a day of its disclosure, highlighting the urgency for users to update their devices immediately.
Apple has released patches to address this vulnerability in several of its operating systems. The updates are available in iOS 18.3, iPadOS 18.3, iPadOS 17.7.6, macOS Sequoia 15.3, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.3, visionOS 2.3, and watchOS 11.3. These updates implement improved memory management to mitigate the issue.
The exploitation of CVE-2025-24085 has been confirmed to target iPhone users specifically, though the vulnerability affects a broad range of Apple devices. The availability of two proof-of-concept exploits further increases the risk, making it imperative for users to apply the security updates without delay.
Security experts emphasize the critical nature of this vulnerability due to its high severity and the speed at which it was exploited. Organizations and individual users alike are urged to prioritize these updates to protect against potential attacks that could leverage this flaw for privilege escalation.
Given the vulnerability's inclusion in the KEV list and its active exploitation, defenders should verify that all affected devices within their networks are updated to the latest software versions. This proactive measure is essential to safeguard against any malicious activities that exploit this critical flaw.
CSURFACE