Apple patched CVE-2025-43300, a zero-day in the ImageIO framework used system-wide to read/write many image formats. Opening or previewing a malicious image can corrupt memory and, depending on exploit reliability, enable code execution. Apple acknowledges in-the-wild exploitation against select targets.
Patches landed on August 20, 2025 across iOS/iPadOS/macOS and the vulnerability was added to CISA’s Known Exploited Vulnerabilities on August 21, 2025.
Affected Products & Fixed Versions
Update to at least the versions below (or later):
- iOS: 18.6.2
- iPadOS: 18.6.2 (current devices), 17.7.10 (older supported iPads)
- macOS: Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8
Note: Release notes identify ImageIO as the impacted component and state the fix as “improved bounds checking.”
Exploitation Status
Apple is aware of exploitation in an “extremely sophisticated attack” targeting individuals. No exploit details published.
CISA added CVE-2025-43300 to its KEV on Aug 21, 2025, elevating patch urgency for government and enterprises. Organizations have until September 11 to apply the relevant patches.
Likely Attack Paths (ATT&CK Mapping)
While Apple did not disclose a specific vector, any app that decodes images via ImageIO is a potential delivery path (e.g., messaging, email, web, document preview).
Plausible mappings:
- Initial Access: Phishing attachment (T1566.001) or drive-by via web content (T1189).
- Execution: Exploitation for client execution (T1203).
This is an analytic assessment consistent with prior ImageIO-class bugs; treat as a low-noise, high-impact delivery route for targeted operations.
Risk to Enterprises
CVE-2025-43300 poses an outsized risk to high-value users such as executives, journalists, legal teams, and incident response staff or anyone who regularly handles sensitive negotiations or information that could be of interest to well-resourced threat actors.
Because exploitation requires little user interaction, these groups are especially exposed to targeted delivery through malicious images.
Recommended Actions
Patch fast (48–72h objective; sooner for VIPs).
- Enforce update to: iOS 18.6.2 / iPadOS 18.6.2 (or 17.7.10 for legacy), macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8 via MDM/patch rings. Track compliance to 100% for VIP devices.
MDM controls & monitoring:
- Create smart groups for devices below fixed builds; alert on non-compliance daily.
- On macOS, monitor for crashes in ImageIO-linked processes (Preview, QuickLook, Safari, Mail) indicating exploit attempts; capture crash logs and Unified Logs for forensics.
User awareness (targeted):
- Short advisory to VIPs: “Do not open or forward unexpected images; update now.”
If you need assistance or suspect a breach, OP Innovate’s Incident Response team is ready to support you.
Stay Safe. Stay Secure.
OP Innovate Research Team
