The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apple vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies and private sector organizations to patch their devices immediately. The flaw, identified as CVE-2025-43300, affects multiple operating systems, including iOS, iPadOS, and macOS. Its addition to the catalog signals that it is not just a theoretical threat but is being actively exploited in the wild.
The vulnerability is an “out-of-bounds write” flaw in Apple’s Image I/O framework, a core component that handles the processing of various image formats. This weakness, also known as a zero-day vulnerability, was unknown to Apple and the public before its active exploitation, giving attackers a critical head start. Attackers can exploit this flaw by delivering a maliciously crafted image file, which, when processed by the affected device, can lead to arbitrary code execution.
What makes this vulnerability particularly dangerous is its “zero-click” nature. This means a user doesn’t need to open the image or interact with it at all for the exploit to work. Simply receiving the malicious file via an app like iMessage or through a website could be enough to compromise a device. This is a common tactic used by sophisticated threat actors to compromise high-value targets.
CISA’s inclusion of CVE-2025-43300 in its KEV catalog is a direct call to action. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to address this vulnerability by September 11, 2025. CISA strongly recommends that all organizations and individual users follow the same urgent guidance.
Apple has already released security updates to fix the flaw. These updates are available in iOS 18.6.2, iPadOS 18.6.2, macOS Sonoma 14.7.8, macOS Ventura 13.7.8, and macOS Sequoia 15.6.1. Users are advised to install these patches as soon as possible. Organizations should also prioritize inventorying their Apple devices to ensure all systems are updated to the patched versions. Failure to do so could expose them to potential data theft, system compromise, or further network infiltration.
