A zero-day affecting Webkit-based browsers has just been disclosed and patched by Apple. While limited information has been released, it appears to have been used for targeted attacks, where threat actors create malicious web content to break out of the Web Content Sandbox.
Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in “extremely sophisticated” attacks.
The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple’s Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.
“This is a supplementary fix for an attack that was blocked in iOS 17.2,” the iPhone maker said in security advisories issued on Tuesday. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
Apple said attackers can exploit the CVE-2025-24201 vulnerability using maliciously crafted web content to break out of the Web Content sandbox.
Here is the list of models impacted by this vulnerability.
The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including:
- iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- Macs running macOS Sequoia
- Apple Vision Pro
Make sure to update your devices as soon as possible!