Apple has released an urgent security update addressing a critical zero-day vulnerability in the WebKit engine that powers Safari and numerous other applications across its ecosystem. Security researchers confirmed active exploitation of this vulnerability in sophisticated targeted attacks before the patch was available, classifying it as a zero-day threat requiring immediate action from all Apple device users.
WebKit Vulnerability: Technical Analysis
The vulnerability, tracked as CVE-2025-24201, affects the WebKit browser engine — a core component responsible for rendering web content across Apple’s platforms. The flaw enables malicious actors to execute a sandbox escape through specially crafted web content, potentially breaking out of the restricted WebKit sandbox and accessing broader system resources. Full technical details are published in the Apple security advisory and in the NVD entry for CVE-2025-24201.
All Apple Devices Running iOS, macOS, watchOS Below the Patched Version
The vulnerability affects all Apple devices running WebKit-based browsers on operating system versions prior to the following patched releases:
- iPhone and iPad users running iOS or iPadOS below 18.3.2 (including all iOS 17.x versions);
- Mac users on macOS Sequoia versions prior to 15.3.2;
- Apple Vision Pro users on visionOS below 2.3.2;
- Users of Safari browser below version 18.3.1 on any supported macOS;
- Third-party browser apps on iOS and iPadOS that use the WebKit engine, which is mandatory for all browsers on Apple’s mobile platforms.
Impact Assessment and Affected Systems
Apple has released comprehensive security updates across its product line to address the vulnerability:
- iOS 18.3.2
- iPadOS 18.3.2
- macOS Sequoia 15.3.2
- visionOS 2.3.2
- Safari 18.3.1
Security Patch Implementation and Mitigation
The security update implements enhanced out-of-bounds write validation mechanisms, preventing unauthorized access to protected memory regions. This patch strengthens WebKit’s security architecture against exploitation attempts targeting this specific vulnerability class.
Recommended Security Measures
Security experts strongly advise implementing the following protective measures:
- Install the security updates immediately on all compatible devices via Settings → General → Software Update;
- Enable automatic software updates to ensure timely patch deployment for future vulnerabilities;
- On macOS, update Safari independently via the App Store even if the OS update is deferred;
- Avoid untrusted websites and links until the update is applied, as exploitation occurs via crafted web content;
- Check the Apple security updates page regularly to track the release of future patches.
This vulnerability is the third zero-day in Apple products patched since the beginning of 2025, following CVE-2025-24085 and CVE-2025-24200 identified in January and February respectively, indicating sustained attacker interest in Apple’s WebKit engine.
