CVE-2025-24201

Exploited in the Wild

Yes

NIST CVSS Scores

CVSS v3.1 Base Score: 8.8 (High)

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA CVSS Scores

CVSS v3.1 Base Score: 7.1 (High)

AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Operating Systems Impacted

macOS Sequoia (prior to 15.3.2)
iOS (prior to 18.3.2)
iPadOS (prior to 18.3.2)
visionOS (prior to 2.3.2)
watchOS (prior to 11.4)

Applications Impacted

Safari (prior to 18.3.1)

Additional Resources

Description

CVE-2025-24201 is an out-of-bounds write vulnerability in WebKit, Apple's browser engine. Maliciously crafted web content could exploit this issue to break out of the Web Content sandbox, potentially leading to arbitrary code execution. Apple addressed this vulnerability by implementing improved checks to prevent unauthorized actions in the affected systems. According to Kandji's analysis, this vulnerability exemplifies the challenges posed by shared codebases across different platforms. The widespread use of WebKit means that a single vulnerability can have far-reaching implications beyond just Apple's ecosystem.

Impact

Exploitation of this vulnerability could allow attackers to execute arbitrary code on the affected devices, leading to potential data breaches, unauthorized access, or further compromise of the system. Apple has acknowledged reports that this issue may have been exploited in extremely sophisticated attacks against specific targeted individuals on versions of iOS before iOS 17.2. The severity of this issue has been assessed as follows:

Caught in the WebKit: Getting Tangled with CVE-2025-24201

CVE-2025-24201, a high-severity WebKit vulnerability, can affect multiple browsers. Learn what this means for your organization and what to monitor next.

Description

Impact

Caught in the WebKit: Getting Tangled with CVE-2025-24201

CVE-2024-40795

CVE-2025-24162

CVE-2025-30427

Stay up to date