Apple has released iOS 18.3.2 and iPadOS 18.3.2 updates with an emergency fix for a critical zero-day vulnerability in the Webkit browser engine that is being actively exploited by attackers.
Image source: Florian Olivo/unsplash.com
The vulnerability, identified as CVE-2025-24201, allows an attacker to access memory outside of its intended range. Apple said the flaw in the OS code could have been used in an “extremely sophisticated attack against specific target individuals.” “This is an additional fix for the security components that were improved with the release of iOS 17.2,” the company said. The vulnerability was addressed using improved checks to prevent unauthorized actions.
Apple’s announcement did not say whether the vulnerability was discovered by one of its researchers or someone outside the company, nor did it say when the attacks using the bug began or how long they lasted. “To protect our customers, Apple does not disclose, discuss, or confirm security issues until an investigation has been completed and fixes or releases are available,” the company added.
While this zero-day vulnerability was likely only used in targeted attacks, Apple recommended that users urgently install security updates to block potential ongoing attack attempts.