Full Report
Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below - CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate
Analysis Summary
# Vulnerability: Apple Backported Fixes for Three Actively Exploited Flaws in Legacy iOS/macOS
## CVE Details
- CVE ID: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201
- CVSS Score: 7.3 (High) for CVE-2025-24085; 4.6 (Medium) for CVE-2025-24200; 8.8 (High) for CVE-2025-24201
- CWE: Use-after-free (CVE-2025-24085), Authorization flaw (CVE-2025-24200), Out-of-bounds write (CVE-2025-24201)
## Affected Systems
- **Products:** iOS, iPadOS, macOS
- **Versions:** Specific legacy versions are targeted for backported fixes (see Remediation section for patched versions). The article implies earlier, unpatched versions of these operating systems are vulnerable.
- **Configurations:** Varies by vulnerability (e.g., device state for USB Restricted Mode bypass).
## Vulnerability Description
Apple patched three critical vulnerabilities that were reportedly under active exploitation.
1. **CVE-2025-24085 (Use-after-free in Core Media):** A Use-after-free bug in the Core Media component allows a malicious application already installed on a device to escalate privileges.
2. **CVE-2025-24200 (Authorization issue in Accessibility):** An authorization flaw in the Accessibility component could allow an attacker to disable USB Restricted Mode on a locked device, potentially facilitating physical access attacks.
3. **CVE-2025-24201 (Out-of-bounds write in WebKit):** An out-of-bounds write issue in the WebKit component allows an attacker to craft malicious web content to break out of the Web Content sandbox.
## Exploitation
- **Status:** The article notes these vulnerabilities **have come under active exploitation in the wild** prior to the backported fixes.
- **Complexity:** Not explicitly stated, but UAF/OOB write in core components often suggests feasibility, especially for WebKit issues.
- **Attack Vector:** Varies: Local (for privilege escalation after installation), Adjacent/Physical (for USB Restricted Mode bypass), Network/Remote (for WebKit exploitation via crafted web content).
## Impact
- **Confidentiality:** High (Potential for system access via privilege escalation/sandbox escape).
- **Integrity:** High (Potential for unauthorized code execution/system modification).
- **Availability:** Medium (Potential for denial of service, but primary impact described is escalation/bypass).
## Remediation
### Patches
Apple backported fixes to the following versions:
* **CVE-2025-24085 Fixes:**
* macOS Sonoma 14.7.5
* macOS Ventura 13.7.5
* iPadOS 17.7.6
* **CVE-2025-24200 & CVE-2025-24201 Fixes:**
* iOS 15.8.4 / iPadOS 15.8.4
* iOS 16.7.11 / iPadOS 16.7.11
### Workarounds
No specific workarounds were detailed in the provided summary, but immediate patching is strongly recommended due to active exploitation.
## Detection
- **Indicators of Compromise:** Not explicitly listed, but indicators would likely involve unusual privilege escalation, unexpected changes to device security settings (USB Restricted Mode), or exploitation attempts targeting Core Media, Accessibility, or WebKit processes.
- **Detection Methods and Tools:** Standard endpoint security tools capable of monitoring system calls and memory corruption indicators related to these specific Apple frameworks may aid in detection.
## References
- Vendor Advisories: Specific advisories are linked in the source article for detailed version information (e.g., links regarding iOS 15.8.4, macOS Sonoma 14.7.5).
- Relevant links - defanged:
* Vendor advisory for CVE-2025-24085: thehackernews dot com/2025/01/apple-patches-actively-exploited-zero dot html
* Vendor advisory for CVE-2025-24200: thehackernews dot com/2025/02/apple-patches-actively-exploited-ios dot html
* Vendor advisory for CVE-2025-24201: thehackernews dot com/2025/03/apple-releases-patch-for-webkit-zero dot html
* Article primary URL: thehackernews dot com/2025/04/apple-backports-critical-fixes-for-3 dot html