Cyber Resilience

CVE-2025-24137

High

Published: 27 January 2025

Published
27 January 2025
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24137 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-24137 is a type confusion vulnerability (CWE-843) addressed through improved checks in multiple Apple operating systems. It affects iOS prior to version 18.3, iPadOS prior to 18.3 and 17.7.4, macOS Sequoia prior to 15.3, macOS Sonoma prior to 14.7.3, tvOS prior to 18.3, and visionOS prior to 2.3. The flaw allows an attacker on the local network to corrupt process memory, earning a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An adjacent network attacker with no privileges can exploit this vulnerability by tricking a user into interacting with malicious content, such as clicking a link or opening a file. Successful exploitation leads to high-impact consequences, including unauthorized access to sensitive data (confidentiality), modification of system resources (integrity), and disruption of services (availability) through process memory corruption.

Apple's security advisories detail mitigations via software updates, with the issue fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, tvOS 18.3, and visionOS 2.3. Security practitioners should prioritize patching affected devices and advise users to avoid interacting with untrusted local network content. Relevant advisories are available at support.apple.com/en-us/122066, 122067, 122068, 122069, and 122072.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, tvOS 18.3, visionOS 2.3. An attacker on the local network may corrupt process…

more

memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The type confusion vulnerability enables an adjacent network attacker to achieve process memory corruption and high-impact code execution by tricking a user into interacting with malicious content (e.g., link or file), directly mapping to client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24213Same product: Apple Ipados
CVE-2025-24129Same product: Apple Ipados
CVE-2025-43186Same product: Apple Ipados
CVE-2025-43234Same product: Apple Ipados
CVE-2026-28983Same product: Apple Ipados
CVE-2025-43529Same product: Apple Ipados
CVE-2025-24190Same product: Apple Ipados
CVE-2026-28905Same product: Apple Ipados
CVE-2026-43661Same product: Apple Ipados
CVE-2025-24230Same product: Apple Ipados

Affected Assets

apple
ipados
≤ 17.7.4 · 18.0 — 18.3
apple
iphone os
≤ 18.3
apple
macos
≤ 14.7.3 · 15.0 — 15.3
apple
tvos
≤ 18.3
apple
visionos
≤ 2.3
apple
watchos
≤ 11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the type confusion vulnerability by requiring timely remediation through patching to the fixed Apple OS versions.

prevent

Implements memory safeguards that protect against process memory corruption resulting from the type confusion exploit.

prevent

Enforces validation of network inputs to prevent malformed data from triggering the type confusion issue via user interaction with malicious local network content.

References