The United States Cybersecurity and Infrastructure Security Agency (CISA) has included a security flaw affecting multiple Apple products in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2025-24085, is a significant issue that Apple has recently addressed with security updates.

Details of the Vulnerability

Apple released these security updates to resolve a zero-day vulnerability that was actively exploited in attacks targeting iPhone users. The flaw is a privilege escalation vulnerability situated in the Core Media framework, which is crucial for handling multimedia tasks on both iOS and macOS devices.

With this flaw, a malicious application could potentially escalate its privileges. Reports indicated that this issue may have been actively exploited on versions of iOS prior to iOS 17.2.

Affected Devices

The vulnerability affects the following devices:

  • iPhone XS and later models
  • iPad Pro 13-inch and 12.9-inch, 3rd generation and later
  • iPad Pro 11-inch, 1st generation and later
  • iPad Air, 3rd generation and later
  • iPad, 7th generation and later
  • iPad mini, 5th generation and later

Security Updates and Fixes

To counter this issue, Apple implemented improvements in memory management. The security updates released include iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3.

Implications and Recommendations

Although detailed information about the attacks leveraging this vulnerability remains undisclosed, such vulnerabilities are often utilized by nation-state actors or those involved in commercial surveillance.

Users are strongly urged to install the latest security updates from Apple to safeguard their devices.

According to Binding Operational Directive 22-01, federal civilian executive branch agencies are mandated to address this and similar vulnerabilities by the stipulated deadline to protect against exploitations.

Private organizations are also advised to review the catalog and secure any vulnerabilities within their infrastructure. CISA has set February 13, 2025, as the deadline for federal agencies to patch this vulnerability.

The link has been copied!