Apple on Wednesday released iPadOS/iOS 18.6.2, as a security update addressing a zero-day vulnerability— tracked as CVE-2025-43300. The company said, the bug has already been exploited in a sophisticated attack against targeted users.
The Cupertino-based tech giant’s security patch raised alarms due to a critical flaw in Apple’s ImageIO framework, a component used to process image files on a majority version of iPhones and iPads, in use. The vulnerability involves an out-of-bounds write, meaning a maliciously crafted image could overwrite memory and thus enable remote code execution.
Apple confirmed the flaw was fixed by improving bounds checking and noted that it had received credible information suggesting exploitation in a targeted manner.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
The phrase “extremely sophisticated attack” indicates that the flaw could be linked to a broader operation, potentially carried out by nation-state hackers or advanced persistent threat groups focused on high-profile targets. Such wording is generally used only for the most severe security incidents.
Apple’s zero-days have been notoriously been leveraged in the past by spyware vendors who under the cloak of national security interests, helped several authoritarian governments spy on the people from opposition, journalists, intellectuals and activists from various domains.
Read: 7 New Pegasus Infections Found on Media and Activists’ Devices in the EU
Apple’s policy of withholding details until a patch is available is in full force here. The launch of iOS 18.6.2 on Wednesday signals that the company took swift internal action to deploy defenses before public disclosure. The update is available for iPhone XS and later models, as well as iPad Pro and iPad models dating back to the 3rd-gen Pro and iPad 7th generation.
Patches applicable for:
- iPhone XS and later
- iPad Pro 13-inch
- iPad Pro 12.9-inch 3rd generation and later
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 7th generation and later, and
- iPad mini 5th generation and later
The fact that attackers exploited something as mundane as an image file shows how modern zero-day campaigns aim for stealth and ubiquity. With images being rendered automatically across apps, browsers, and messaging platforms, the attack surface becomes nearly invisible to the end user.
Apple’s fast patch rollout may have blunted this particular threat, but it also highlights the ongoing tug of war between device makers and attackers who are constantly seeking new ways to exploit everyday features for high-value gains.
