Apple Inc. has released an emergency security update to address a “zero-day” vulnerability in its ImageIO framework that has been actively exploited in the wild.

A zero-day is a previously unknown software vulnerability that is discovered by attackers before the developer has created a fix. The ImageIO framework is a core component of Apple’s operating systems responsible for handling various image file formats.

The zero-day in this case, tracked as CVE-2025-43300, is described by Apple as allowing for the processing of a malicious image file that may result in memory corruption. Apple confirmed it is aware of reports that the vulnerability may have been exploited in targeted attacks before the patch was released, though the company did not provide details about the scope or attribution.

The patches, released on Aug. 20, cover iOS, iPadOS and macOS. The fix is included in iOS 18.6.2 and iPadOS 18.6.2 for current devices, iPadOS 17.7.10 for older models and macOS Sequoia 15.6.1, Sonoma 14.7.8 and Ventura 13.7.8.

Users are advised to update their devices immediately to the latest versions. On iPhones and iPads, updates can be installed under Settings > General > Software Update, while Mac users can apply them through System Settings > General > Software Update.

Adam Boynton, senior security strategy manager at Apple device management company Jamf Holding Corp., told SiliconANGLE via email that “Apple has indicated that this vulnerability has been exploited in sophisticated, targeted attacks, which typically focus on individuals with highly valued access or contacts, such as journalists, lawyers, activists and government officials.”

“While Apple has not confirmed whether this specific flaw was linked to spyware, similar vulnerabilities in ImageIO and WebKit have previously been used in Pegasus campaigns,” Boynton added. “Even though the exploitation appears targeted, we recommend that all users update to iOS 18.6.2 immediately, particularly those in industries most at risk of spyware attacks.”

Satnam Narang, senior staff research engineer at exposure management company Tenable Holdings Inc., added that “traditionally, Apple has limited the amount of detail it shares about in-the-wild exploitation of zero-days across Apple products. However, they rarely use the language of ‘an extremely sophisticated attack against specific targeted individuals.’ Based on my assessment, Apple started using this language in 2025 for other CVEs, including CVE-2025-24201, CVE-2025-24200, CVE-2025-31200, CVE-2025-43200, and CVE-2025-43300. This language suggests that Apple is being purposeful in its external communication.”

Image: SiliconANGLE/Reve