CVE-2025-24201
Published: 11 March 2025
Summary
CVE-2025-24201 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 46.8th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements memory protection mechanisms such as bounds checking to directly prevent out-of-bounds writes from corrupting memory and enabling Web Content sandbox escape.
Enforces process isolation for Web Content processes, strengthening the sandbox to block breakout attempts even if memory corruption occurs.
Requires timely identification, testing, and installation of patches to remediate the specific out-of-bounds write flaw in Safari and Apple OS components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in Safari Web Content sandbox allows malicious web content to escape sandbox with no user interaction, directly enabling drive-by compromise via crafted web content and exploitation for client execution.
NVD Description
An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2,…
more
visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
Deeper analysisAI
CVE-2025-24201 is an out-of-bounds write vulnerability (CWE-787) that was addressed through improved bounds checks to prevent unauthorized actions. It affects the Web Content sandbox in Safari and multiple Apple platforms, including iOS versions prior to 15.8.4, 16.7.11, and 18.3.2; iPadOS versions prior to 15.8.4, 16.7.11, 17.7.6, and 18.3.2; macOS Sequoia prior to 15.3.2; visionOS prior to 2.3.2; and watchOS prior to 11.4. Maliciously crafted web content may exploit the issue to break out of the Web Content sandbox.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1 score of 10.0; AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation enables breakout from the sandbox, potentially granting high-impact access to confidentiality, integrity, and availability on the affected device.
Apple security advisories detail patches in the listed versions, including Safari 18.3.1 and corresponding OS updates, available via https://support.apple.com/en-us/122281, https://support.apple.com/en-us/122283, https://support.apple.com/en-us/122284, https://support.apple.com/en-us/122285, and https://support.apple.com/en-us/122345. Security practitioners should prioritize updating affected devices.
This issue serves as a supplementary fix for an attack blocked in iOS 17.2. Apple is aware of a report that it may have been exploited in an extremely sophisticated attack targeting specific individuals on iOS versions prior to 17.2.
Details
- CWE(s)
- KEV Date Added
- 13 March 2025