Apple has backported a patch for CVE-2025-43300, an out-of-bounds write flaw in the ImageIO framework, extending protection to older devices that did not initially receive the fix from last month.
A range of older Apple devices are affected, including models such as the iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, various iPad Pro models, and iPod touch (7th generation), as well as iPhone SE (1st generation), iPad mini (4th generation), and other affected iPad models.
The vulnerability is in Apple’s ImageIO framework, which processes image files. Attackers can craft a malicious image that writes outside the allocated memory, causing memory corruption, which in some cases could lead to crashes or even code execution. In real-world attacks, CVE-2025-43300 was chained with a WhatsApp zero-click flaw (CVE-2025-55177) in a spyware campaign that targeted fewer than 200 individuals.
Apple initially patched the flaw for its latest devices last month and has now extended the fix to older models. Meta also patched the related WhatsApp vulnerability. Samsung also patched a remote code execution vulnerability chained with the WhatsApp flaw in attacks targeting Android devices.
Device owners should immediately apply available software updates, which include:
• iOS 15.8.5 and 16.7.12
• iPadOS 15.8.5 and 16.7.12
Apple has also rolled out iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, iOS 26, iPadOS 26, and Xcode 26, which contain patches for additional security issues not related to CVE-2025-43300. Among these are fixes for CoreAudio (CVE-2025-43349), multiple Sandbox escape flaws (CVE-2025-43329 and CVE-2025-43204), a critical DiskArbitration root privilege escalation (CVE-2025-43316), WebKit instability leading to crashes (CVE-2025-43272), and a high‑risk Git vulnerability in Xcode (CVE-2025-48384).
Apple has said there is no indication these particular bugs have been exploited in the wild. The campaign highlights how attackers are chaining multiple vulnerabilities across operating systems and apps to carry out targeted surveillance.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
