Cyber Resilience

CVE-2025-24201

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 11 March 2025

Published
11 March 2025
Modified
03 April 2026
KEV Added
13 March 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0021 43.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24201 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 43.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

An out-of-bounds write vulnerability, tracked as CVE-2025-24201 and assigned CWE-787, affects multiple Apple platforms including Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, and watchOS 11.4. The flaw resides in the Web Content sandbox and was addressed through improved input validation checks. It carries a CVSS 3.1 base score of 10.0, reflecting network-exploitable conditions with no required privileges or user interaction that could result in full confidentiality, integrity, and availability impacts under a changed scope.

An attacker can deliver maliciously crafted web content to trigger the out-of-bounds write, enabling a sandbox escape that grants unauthorized actions outside the Web Content process. The issue serves as a supplementary fix for an attack vector that had already been mitigated in iOS 17.2, indicating the vulnerability could be chained with other flaws to achieve elevated code execution on affected devices.

Apple security advisories at the listed support URLs detail the affected builds and confirm that updates to the versions enumerated above remediate the issue. The advisories explicitly note that the vulnerability received a targeted fix after earlier mitigations proved insufficient for certain sophisticated attack chains.

Apple has stated it is aware of reporting that the vulnerability may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS versions prior to 17.2. The current EPSS score of 0.0021 reflects limited observed exploitation interest to date.

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2,…

more

visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

CWE(s)
KEV Date Added
13 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds write in Safari Web Content sandbox allows malicious web content to escape sandbox with no user interaction, directly enabling drive-by compromise via crafted web content and exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-31277Same product: Apple Ipadosboth on KEV
CVE-2024-54543Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipadosboth on KEV
CVE-2025-43209Same product: Apple Ipados
CVE-2023-43010Same product: Apple Ipados
CVE-2025-43529Same product: Apple Ipadosboth on KEV
CVE-2025-6558Same product: Apple Ipadosboth on KEV
CVE-2026-3909Same product: Apple Macosboth on KEV
CVE-2025-14174Same product: Apple Ipadosboth on KEV
CVE-2025-27363Same product: Debian Debian Linuxboth on KEV

Affected Assets

apple
safari
≤ 18.3.1
apple
macos
15.0 — 15.3.2
apple
visionos
≤ 2.3.2
apple
watchos
≤ 11.4
apple
ipados
15.8 — 15.8.4 · 16.7 — 16.7.11 · 17.0 — 17.7.6
apple
iphone os
15.8 — 15.8.4 · 16.7 — 16.7.11 · 17.0 — 18.3.2
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements memory protection mechanisms such as bounds checking to directly prevent out-of-bounds writes from corrupting memory and enabling Web Content sandbox escape.

prevent

Enforces process isolation for Web Content processes, strengthening the sandbox to block breakout attempts even if memory corruption occurs.

prevent

Requires timely identification, testing, and installation of patches to remediate the specific out-of-bounds write flaw in Safari and Apple OS components.

References