CVE-2025-43209

Critical

Published: 30 July 2025

Published

30 July 2025

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43209 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Macos. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of the WebKit out-of-bounds access flaw, as confirmed by Apple's advisories requiring updates to fixed versions.

SI-10 Information Input Validation good match

prevent

Requires validation of web content inputs with bounds checking to prevent out-of-bounds access during processing in Safari/WebKit.

SI-16 Memory Protection partial match

prevent

Provides memory protections like ASLR and DEP to mitigate exploitation of the out-of-bounds access vulnerability even if triggered.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds WebKit vulnerability in Safari enables remote code execution via malicious web content with no user interaction beyond browsing, directly mapping to drive-by compromise and client application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted…

web content may lead to an unexpected Safari crash.

Deeper analysisAI

CVE-2025-43209 is an out-of-bounds access vulnerability (CWE-787) addressed through improved bounds checking in WebKit, the browser engine used by Safari. It affects Safari on multiple Apple platforms prior to the following releases: iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, and watchOS 11.6. The issue was publicly disclosed on July 30, 2025, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers require no privileges or user interaction beyond typical web browsing and can exploit the vulnerability with low complexity by delivering maliciously crafted web content. Successful exploitation leads to an unexpected Safari crash, with the high CVSS impact metrics indicating potential for significant confidentiality, integrity, and availability disruptions.

Apple's security advisories (https://support.apple.com/en-us/124147, https://support.apple.com/en-us/124148, https://support.apple.com/en-us/124149, https://support.apple.com/en-us/124150, https://support.apple.com/en-us/124151) confirm the issue is fully mitigated by updating to the listed fixed versions across affected platforms. Security practitioners should prioritize patching all Apple devices running Safari, especially those exposed to untrusted web content.

Details

CWE(s): CWE-787

Affected Products

apple

ipados

≤ 17.7.9 · 18.0 — 18.6

apple

iphone os

≤ 18.6

apple

macos

≤ 13.7.7 · 14.0 — 14.7.7 · 15.0 — 15.6

apple

tvos

≤ 18.6

apple

visionos

≤ 2.6

apple

watchos

≤ 11.6

CVEs Like This One

CVE-2024-54543Same product: Apple Ipados

CVE-2024-54523Same product: Apple Ipados

CVE-2025-31273Same product: Apple Ipados

CVE-2025-31278Same product: Apple Ipados

CVE-2025-31277Same product: Apple Ipados

CVE-2024-54517Same product: Apple Ipados

CVE-2024-54522Same product: Apple Ipados

CVE-2026-20616Same product: Apple Ipados

CVE-2025-43234Same product: Apple Ipados

CVE-2026-20698Same product: Apple Ipados

References

https://support.apple.com/en-us/124147
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124148
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124149
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124150
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124151
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124153
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124154
Release Notes, Vendor Advisory · product-security@apple.com
https://support.apple.com/en-us/124155
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Jul/31
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/32
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/33
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/34
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/36
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/37
af854a3a-2127-422b-91ae-364da2661108