Apple has rolled out two new updates to patch a zero-day vulnerability in the ImageIO framework, which may have already been exploited in attacks against specific individuals.
The flaw, tracked as CVE-2025-43300, and addressed in iOS 16.7.12 and iPadOS 16.7.12, allows for memory corruption on Apple phones when a malicious file is processed.
In a security advisory released on Monday, Apple said the bug stems from an out-of-bounds write issue. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the iPhone maker said.
The patch affects both newer and older iPhones, iPads, and related devices, including those not running the very latest version of Apple operating systems. The company warns that since this flaw may have been actively abused in the wild, all users, especially older models, should install the update immediately.
Patch back-ported to older devices
CVE-2025-43300 received a critical severity rating (CVSS 8.8 out of 10) and was patched in iOS 18.6.2 and iPadOS 18.6.2 last month. On Monday, Apple extended the patch to earlier EOL builds against reports of active exploitation.
The affected module, Apple’s ImageIO, is the framework responsible for reading, writing, or otherwise processing images in many iOS/iPadOS applications. The vulnerability occurs when certain malicious image files are handled–the system performs out-of-bounds writes because existing bounds validation is insufficient.
Apple’s security notice says that the fix involves improved bounds checking in the framework to prevent out-of-bounds writes. The devices that received the latest update (16.7.12) include iPhone 8 and 8 Plus, X, and 5th-generation iPads, and early iPad Pro models.
While Apple does not publicly disclose the technicality of the attacks observed, this kind of exploit scenario is typical of “Watering-hole,” “spear-phishing,” or other targeted image-delivery attacks, especially against high-risk individuals.
Attackers shifting to core image services
Attackers seem to be moving focus to image processing modules in core system software, rather than going after obvious network-facing services or applications. Last week, Samsung patched a critical bug (CVE-2025-21043) affecting its supplied image library ‘libimagecodec.quram.so’ that allowed remote code execution via a crafted image with zero user interaction.
Because image-parsing frameworks are deeply embedded in how devices handle everything from messaging to media galleries, these kinds of exploits can lurk quietly, built into seemingly harmless actions.
Users are advised to update not just their phones and tablets but also any related devices that share the ImageIO or equivalent image processing modules. It is safe to assume the bug has no workaround since ImageIO is a core framework and users can’t disable or replace it. The only realistic mitigation is installing the update.
Apple has tended to eight zero-days so far in 2025, having fixed a total of six in 2024. The Cupertino giant had fixed twenty such bugs a year ago, including notorious RCE bugs, CVE-2023-32434 and CVE-2023-32435, allegedly used in a spy campaign Operation Triangulation against Russia.
No Responses