Full Report
Apple has released security updates that backport fixes for actively exploited vulnerabilities that were exploited as zero-days to older versions of its operating systems. [...]
Analysis Summary
# Vulnerability: Apple Backported Zero-Day Patches and Fixed Numerous Flaws Across OS Versions
## CVE Details
This summary covers multiple CVEs mentioned in the advisories:
- CVE ID: CVE-2025-24201 (Mentioned in relation to older OS versions)
- CVE ID: CVE-2025-24085 (Privilege escalation in Core Media, fixed Jan 2025)
- CVE ID: CVE-2025-30456 (App sandbox bypass allowing root privilege escalation)
- CVE ID: CVE-2025-24097 (Arbitrary file metadata access)
- CVE ID: CVE-2025-31182 (Arbitrary file deletion)
- CVE ID: CVE-2025-24228 (Arbitrary code execution with kernel privileges)
- CVE ID: CVE-2025-24267 (Privilege escalation to root)
- CVE ID: CVE-2025-24178 (Sandbox escape)
- CVE ID: CVE-2025-24213 (WebKit memory corruption)
- CVE ID: CVE-2025-30427 (WebKit use-after-free)
- CVE ID: CVE-2025-24180 (WebAuthn credential confusion)
- CVSS Score: Not explicitly provided; treat all as High severity due to implied zero-day/privilege escalation context.
- CWE: Various (e.g., Privilege Escalation, Memory Corruption, Sandbox Bypass)
## Affected Systems
- **Products:** iOS, iPadOS, macOS, watchOS, visionOS, tvOS, Safari.
- **Versions:**
- Older/Supported Systems receiving backports: iOS 16.7.11, iPadOS 16.7.11, iOS 15.8.4, iPadOS 15.8.4.
- Systems receiving initial fixes for CVE-2025-24085: iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, tvOS 18.3.
- Older systems receiving backport for CVE-2025-24085: iPadOS 17.7.6, macOS 14.7.5 (Sonoma), macOS 13.7.5 (Ventura).
- Latest Systems: iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4.
- **Configurations:** Vulnerabilities relate to core OS frameworks (Core Media, Kernel, Sandbox, WebKit).
## Vulnerability Description
Apple released multiple security updates addressing numerous vulnerabilities across its operating system line-up, including notable backports for older, supported devices.
**Key Vulnerabilities Highlighted:**
1. **CVE-2025-24085 (Core Media Privilege Escalation):** This flaw, originally fixed across current OS branches in January 2025, involved a privilege escalation vulnerability within Apple's Core Media framework and has now been patched on older supported versions (e.g., iOS 15/16 series).
2. **Latest Branch Flaws (iOS 18.4 / macOS Sequoia 15.4):** These updates address serious issues, including CVE-2025-30456 (root privilege escalation via app sandbox bypass), CVE-2025-24228 (arbitrary code execution with kernel privileges), and several WebKit memory corruption/use-after-free issues (CVE-2025-24213, CVE-2025-30427).
## Exploitation
- **Status:** While the article notes that no *actively exploited* zero-day flaws were disclosed in the latest bulletins, CVE-2025-24085 was previously reported as an actively exploited zero-day in late January 2025, which necessitated backporting fixes. Treat all privilege escalation/kernel flaws as high risk.
- **Complexity:** Likely Medium to High for the most critical kernel/sandbox escape flaws.
- **Attack Vector:** Varies by CVE, but likely includes Network (for WebKit issues) and Local/Adjacent (for privilege escalation).
## Impact
- **Confidentiality:** High (Arbitrary file metadata access, Kernel ACE/RPE).
- **Integrity:** High (Privilege escalation to root, arbitrary file deletion).
- **Availability:** Medium to High (Potential for system instability or Denial of Service from memory corruption or privilege escalation).
## Remediation
### Patches
Users must update to the following versions to receive fixes:
- **iOS/iPadOS:** 18.4, 17.7.6 (for older branches), 16.7.11, 15.8.4.
- **macOS:** Sequoia 15.4, 14.7.5 (Sonoma), 13.7.5 (Ventura).
- **Other:** watchOS 11.3, visionOS 2.3, tvOS 18.3, Safari 18.4.
### Workarounds
No specific workarounds are detailed, as patching is strongly recommended, especially given the zero-day history of some patched components.
## Detection
- **Indicators of Compromise:** Specific IOCs are not mentioned, but look for unusual process execution or unauthorized access granted to standard user processes, especially if related to media handling or file system operations prior to patching.
- **Detection Methods and Tools:** Standard endpoint security solutions capable of monitoring kernel/system calls and memory integrity. Monitoring for rapid updates to operating system versions across the fleet is critical.
## References
- Vendor Advisory (iOS/iPadOS 18.4/17.7.6/16.7.11/15.8.4): support.apple.com/en-us/122371, support.apple.com/en-us/122346, support.apple.com/en-us/122345
- Vendor Advisory (macOS 15.4/14.7.5/13.7.5): support.apple.com/en-us/122373, support.apple.com/en-us/122374, support.apple.com/en-us/122375
- Vendor Advisory (General Core Media Fix): support.apple.com/en-us/122372
- Related Article on CVE-2025-24085 Fix: bleepingcomputer.com/news/security/apple-fixes-this-years-first-actively-exploited-zero-day-bug/