Apple on Tuesday released iOS 18.3.2 and iPadOS 18.3.2 with an urgent fix for a WebKit flaw that’s already been exploited on older versions of the mobile operating system.
The zero-day, tagged as CVE-2025-24201, allows attackers to break out of the Web Content sandbox and Cupertino warns that it “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”
“This is a supplementary fix for an attack that was blocked in iOS 17.2,” the company said in a barebones bulletin.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company added.
Apple described the bug as an out-of-bounds write issue that was fixed with improved checks to prevent unauthorized actions.
The iOS 18.3.2 rollout comes exactly one month after Apple patched a security flaw that allowed attackers with physical access to a locked iPhone or iPad to disable USB Restricted Mode – a key protection mechanism.
In that case, the company said the bug led to “an extremely sophisticated attack against specific targeted individuals.” The discovery of the exploit was credited to Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School, suggesting the exploit was used for nation-state level surveillance.
USB Restricted Mode is a security feature designed to block data access via an iPhone or iPad’s Lightning/USB-C port when the device has been locked for over an hour. It was introduced to thwart hacking tools that connect via USB to crack a device’s passcode or extract data.
Related: Apple: USB Restricted Mode Exploited in ‘Extremely Sophisticated’ Attack
Related: Apple Confirms Zero-Day Attacks Hitting macOS Systems
Related: Microsoft Patches 57 Flaws, Flags Six Active Zero-Days
Related: Critical Code-Execution Bugs in Acrobat and Reader
