Apple has rolled out urgent security updates to counter a critical zero-day vulnerability, CVE-2025-43300, in its ImageIO framework, actively exploited in targeted attacks. This marks the seventh zero-day fix by Apple in 2025, highlighting the escalating threat landscape for iOS and macOS devices. The vulnerability, now listed in CISA’s Known Exploited Vulnerabilities catalog, poses significant risks, urging immediate action before the September 11, 2025 deadline.
The flaw, an out-of-bounds write vulnerability, affects the JPEG lossless decoding logic for Adobe DNG files. It arises from a mismatch between metadata in TIFF subdirectories and JPEG SOF3 markers. Attackers can exploit this by altering two bytes in a DNG file, leading to memory corruption during image processing. This zero-click exploit triggers automatically through iMessage, emails, AirDrop, or web content.
Apple describes the attacks as highly sophisticated, targeting specific individuals, indicating involvement from advanced threat actors. The exploit requires deep technical knowledge, as demonstrated by proof-of-concept code showing memory corruption in Apple’s RawCamera.bundle component. Detection tools have been developed to identify such exploitation attempts.
Unlike past iOS zero-click exploits linked to commercial spyware, CVE-2025-43300 presents attribution challenges, with Apple withholding details on attackers or targets. This contrasts with well-documented campaigns like BLASTPASS and FORCEDENTRY, linked to NSO Group’s Pegasus spyware. The sophistication and targeted nature of the attack suggest involvement of nation-state actors or advanced spyware developers.
The evolution of iOS zero-click attacks reflects an arms race between Apple’s security measures and adversary capabilities. Past operations, like Triangulation and FORCEDENTRY, showcased unprecedented technical complexity, exploiting hardware features and constructing virtual computers within iOS memory. NSO Group’s Pegasus has evolved from click-based to zero-click exploits, focusing on high-value targets like journalists and government officials.
In response, Apple urges immediate updates to iOS 18.6.2 and corresponding macOS versions, especially for high-risk users. Lockdown Mode offers additional protection but limits device functionality. Organizations should enhance monitoring, deploy advanced detection solutions, and maintain updated threat intelligence. Proactive threat hunting is essential to detect stealthy zero-click attacks.
CVE-2025-43300 highlights the ongoing evolution of mobile threats, where sophisticated adversaries exploit complex vulnerabilities for persistent surveillance. This underscores the need for comprehensive mobile security strategies addressing technical and operational threats.
