CVE-2025-24213
Published: 31 March 2025
Summary
CVE-2025-24213 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of identified flaws like this type confusion vulnerability through patching to fixed versions such as Safari 18.5.
Provides memory protection mechanisms such as ASLR and DEP to mitigate arbitrary code execution from memory corruption caused by type confusion.
Enforces process isolation and sandboxing in components like Safari to limit the impact of local memory corruption exploits requiring user interaction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a client-side type confusion vulnerability in Safari and other Apple components leading to memory corruption and arbitrary code execution with local attack vector and user interaction required, directly enabling T1203 Exploitation for Client Execution.
NVD Description
This issue was addressed with improved handling of floats. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. A type confusion issue could lead to memory…
more
corruption.
Deeper analysisAI
CVE-2025-24213 is a type confusion vulnerability (CWE-843) stemming from improper handling of floats, which could lead to memory corruption. The issue affects multiple Apple platforms and components, including Safari prior to version 18.5, iOS prior to 18.5, iPadOS prior to 18.5 and 17.7.7, macOS Sequoia prior to 15.5, tvOS prior to 18.5, visionOS prior to 2.5, and watchOS prior to 11.5.
The vulnerability has a CVSS v3.1 base score of 7.8 (High), with local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and required user interaction (UI:R). A local attacker could exploit it to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution through memory corruption upon successful type confusion.
Apple addressed the issue through improved float handling in the listed fixed versions. Official advisories detailing the patches are available at https://support.apple.com/en-us/122404, https://support.apple.com/en-us/122405, https://support.apple.com/en-us/122716, https://support.apple.com/en-us/122719, and https://support.apple.com/en-us/122720. Security practitioners should prioritize updating affected devices to mitigate exposure.
Details
- CWE(s)