CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Apple patches Image I/O zero-day exploited in targeted attacks

First reported
Last updated
πŸ“° 3 unique sources, 6 articles

Summary

Hide β–²

Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

Timeline

  1. 16.09.2025 14:06 πŸ“° 2 articles Β· ⏱ 1d ago

    Apple backports fixes for CVE-2025-43300 to older iOS, iPadOS, and macOS versions

    The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

    Show sources
    Open in new tab
  2. 11.09.2025 22:02 πŸ“° 1 articles Β· ⏱ 5d ago

    CERT-FR reports multiple spyware attacks targeting Apple users

    CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The notifications were sent on March 5, April 29, June 25, and September 3. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple advises users to enable Lockdown Mode and request rapid-response emergency security assistance.

    Show sources
    Open in new tab
  3. 20.08.2025 21:44 πŸ“° 6 articles Β· ⏱ 27d ago

    Apple patches Image I/O zero-day flaw exploited in targeted attacks

    The flaw affects iPhone 6s, iPhone 7, iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, iPhone X, iPad Air 2, iPad mini (4th generation), iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, and iPod touch (7th generation).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses

A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.

Open in new tab

Critical Out-of-Bounds Write Vulnerability in Samsung Android Devices Exploited in the Wild

Samsung has patched a critical zero-day vulnerability (CVE-2025-21043) in its Android devices, which has been actively exploited in the wild. The flaw, an out-of-bounds write in the libimagecodec.quram.so library, allows for arbitrary code execution. The vulnerability affects Android versions 13, 14, 15, and 16. The issue was privately disclosed to Samsung on August 13, 2025, and a fix was released in the September 2025 security update. The exploit's specifics and the actors behind it remain undisclosed. This development follows Google's recent patching of two other actively exploited Android vulnerabilities.

Open in new tab

Fourth Spyware Campaign Targeting French Apple Users in 2025

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab