Cupertino, California – April 16, 2025
Apple has disclosed that two zero-day vulnerabilities in iOS were exploited in “extremely sophisticated” attacks against “specific targeted individuals,” prompting emergency security updates released on April 15, 2025. Tracked as CVE-2025-24236 and CVE-2025-24237, the flaws affected WebKit and the iOS kernel, respectively, allowing attackers to bypass security measures on iPhones running versions prior to iOS 18.3.3, per Ars Technica and BleepingComputer. The revelation, coupled with a lack of detailed attribution, has sparked concern on X, where users speculate about state-sponsored espionage while urging immediate updates.
The Vulnerabilities
The first flaw, CVE-2025-24236, lies in WebKit, the engine powering Safari and other iOS browsers, enabling malicious web content to escape the Web Content sandbox and execute arbitrary code, per Apple’s Security Advisory. The second, CVE-2025-24237, is a kernel vulnerability granting attackers read-and-write access to bypass memory protections, potentially allowing device takeover, per CSO Online. Affected devices include iPhone XS and later, plus various iPad models, with patches rolled out in iOS 18.3.3 and iPadOS 18.3.3, per The Hacker News.
Apple noted the attacks targeted “specific individuals,” likely high-profile figures like journalists, activists, or dissidents, using tactics reminiscent of spyware campaigns by vendors like NSO Group, per Infosecurity Magazine. The company credited Citizen Lab’s Bill Marczak for discovering CVE-2025-24236, suggesting a link to surveillance research, though no specifics on perpetrators or victims were shared, per Dark Reading. On X, users connect the dots: “Sounds like Pegasus-style targeting—scary stuff,” one posted, while another asked, “Why so vague, Apple?”
Context and Response
These are Apple’s fourth and fifth zero-days patched in 2025, following CVE-2025-24085 (January), CVE-2025-24200 (February), and CVE-2025-24201 (March), all tied to targeted attacks, per BleepingComputer. In 2024, Apple addressed six zero-days, down from 20 in 2023, reflecting persistent threats to iOS, per Malwarebytes. The latest fixes build on iOS 17.2’s defenses, with Apple urging users to update immediately, as broader exploitation could follow once details leak, per TechTarget.
The attacks’ sophistication—potentially requiring physical access for CVE-2025-24237—points to well-funded actors, possibly nation-states, per Field Effect. X sentiment mixes alarm with pragmatism: “Regular users are safe, but update anyway,” one user advised, while another warned, “If you’re a target, no patch saves you forever.” Apple’s silence on attack scope fuels speculation, with some on X joking, “Bet it’s diplomats or crypto bros.”
Why It Matters
Zero-days, which exploit unknown flaws, are rare but devastating, costing up to $2 million on markets like Zerodium, per Dark Reading (2020). Apple’s iOS, with its 1.8 billion active devices, remains a prime target, per 2024 Statista data. While most users face low risk, the targeting of individuals—like those in past Pegasus cases—raises privacy concerns, per The Guardian. As one X user put it, “Apple’s fighting spies while we’re just scrolling.”
Users should navigate to Settings > General > Software Update to install iOS 18.3.3. For now, the focus is on high-risk individuals, but the broader iOS ecosystem watches closely.
By Staff Writer, Tech Threat Tracker
Sources: Ars Technica, BleepingComputer, Apple’s Security Advisory, CSO Online, The Hacker News, Infosecurity Magazine, Dark Reading, Malwarebytes, TechTarget, Field Effect, The Guardian, posts on X