Apple has released updated versions of its iOS and iPadOS mobile operating system (OS) that address a potentially dangerous vulnerability that appears to have been exploited in the wild.
The two releases, iOS 18.3.2 and iPadOS 18.3.2, are available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Collectively, the update addresses a single vulnerability tracked as CVE-2025-24201. Apple customarily releases very sparse details of the vulnerabilities it addresses to avoid giving too much away to threat actors, and the flaw in question is no exception.
Apple revealed that the flaw is an out-of-bounds write issue affecting the WebKit open source web browser engine that powers Safari, Mail, App Store and many other Apple and Linux ecosystem applications.
Cupertino said: “Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2.”
Version 17.2 of the two OSes dates back just over a year to December 2023, and besides security fixes brought a large number of new features to Apple’s mobile estate, including the launch of a diary feature called Journal, and enhancements to its Weather app, among other things.
Nation-state adversary?
In its update notes, Apple indicated that it took steps to address the issue after it became aware of exploitation of CVE-2025-24201 in the wild. The firm said: “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
The fact that this attack is being described as sophisticated and targeted likely indicates that the vulnerability was used by a nation-state threat actor, possibly against individuals of interest to the intelligence services in that country. To Western ears, this could indicate exploitation by actors linked to China, Iran, North Korea or Russia.
However, given Apple mobile devices are so widely used, other countries and even private companies are known to seek out and leverage vulnerabilities in its device estate for similar purposes.
Notably, disgraced Israeli spyware manufacturer NSO Group – the organisation behind the Pegasus malware that was famously used by the Saudi Arabian regime against murdered journalist Jamal Khashoggi – exploited multiple Apple vulnerabilities in the service of its mercenary activities.
Even though this might indicate the risk to everyday members of the public might be limited, Sylvain Cortes, vice-president of strategy at Hackuity, told Computer Weekly that all users should take steps to protect themselves.
“The flaw poses a significant risk to users of older versions of the operating system, particularly those released before iOS 17.2,” said Cortes. “We highly encourage users to update their devices to iOS 18.3.2 as soon as possible to maintain the security and privacy of their data.”
Besides the fix, the update also brings new customisation options for Apple users, a redesigned Photos application, “new ways to express yourself” in Messages, a hiking feature in Maps, and updates to Wallet.
