Apple Patches a Zero-Day Vulnerability in Older iPhones and iPads

Apple has released supplemental security updates for older iPhone and iPad models, addressing a zero-day vulnerability previously patched in the latest versions of iOS, iPadOS, and macOS. Tracked as CVE-2025-43300, the flaw stems from an out-of-bounds write issue in the Image I/O library, responsible for handling graphic formats. This defect allowed buffer boundaries to be bypassed and, in certain cases, enabled remote code execution.

The initial fix was rolled out on August 20 for iOS 18.6.2, iPadOS 18.6.2 and 17.7.10, as well as macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8. Apple has now extended equivalent protections to older releases: iOS 15.8.5 and 16.7.12, alongside iPadOS 15.8.5 and 16.7.12. According to Apple, the adjustment strengthens boundary checks in image processing to prevent memory corruption. The company acknowledged that the vulnerability had been exploited in an “exceptionally sophisticated attack” targeting specific individuals.

The list of affected devices is extensive. Among iPhones: all versions of the 6s and 7, the first-generation SE, as well as the 8, 8 Plus, and X. Impacted iPads include the Air 2, the fourth-generation mini, the fifth-generation iPad, and the first-generation iPad Pro models (9.7-inch and 12.9-inch). The issue also extended to the seventh-generation iPod touch.

The incident formed part of a broader attack chain. In late August, WhatsApp patched a Zero-Click vulnerability (CVE-2025-55177), which, when combined with CVE-2025-43300, was weaponized in targeted surveillance campaigns. Some WhatsApp users even received notifications warning them of attempted spyware deployment. Other vendors were implicated as well: last week, Samsung addressed a remote code execution flaw that was also exploited alongside CVE-2025-55177 in attacks against Android devices.

With this disclosure, CVE-2025-43300 becomes the sixth zero-day Apple has been forced to patch in 2025. Earlier in the year, the company remediated vulnerabilities in January (CVE-2025-24085), February (CVE-2025-24200), March (CVE-2025-24201), and twice in April (CVE-2025-31200 and CVE-2025-31201).

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy