By
Security for devices running mobile operating systems whether phones or tablets is critical. Usually, you cannot know what vulnerabilities your devices have without actually searching for them or installing a 3rd party agent. At least that was the case before MrBenny!
Apple’s iPhones and iPads are high-value targets for attackers, and flaws can lead to device compromise or data theft. In the first quarter of 2025, multiple iOS vulnerabilities were disclosed and patched – including several high-severity bugs and two actively exploited zero-day flaws.
|
CVE |
Affected software |
Severe |
CVSS |
Exploited? |
Impact |
|
CVE-2025-24154 |
WebContentFilter |
Critical |
9.3 |
No |
Memory Corruption (Potential RCE) |
|
CVE-2025-24137 |
AirPlay |
High |
8.0 |
No |
Remote Code Execution |
|
CVE-2025-24085 |
CoreMedia |
High |
7.8 |
Yes |
Privilege Escalation |
|
CVE-2025-24200 |
Accessibility |
Medium |
6.1 |
Yes |
Security Feature Bypass |
|
CVE-2025-24107 |
Kernel |
High |
7.8 |
No |
Elevation of Privilege |
|
CVE-2025-24159 |
Kernel |
High |
7.8 |
No |
Elevation of Privilege |
|
CVE-2025-24128 |
Safari |
Medium |
4.3 |
No |
UI Spoofing (Phishing) |
Major Vulnerabilities and Exploits
Critical Memory Corruption – WebContentFilter (CVE-2025-24154)
CVE-2025-24154 is an example of a critical memory corruption issue. Apple’s advisory notes the bug could cause “unexpected system termination or corrupt kernel memory”, indicating a crash or an opening for code execution. The attack vector might involve a malicious website or network content that triggers the filter (since WebContentFilter scans web content at the OS level). Given the CVSS 9.8 Critical rating, it’s likely that exploitation could be done remotely (network-based) with no user privileges and minimal interaction, resulting in a full device compromise. Fortunately, there were no known active exploits. However, a successful exploit of CVE-2025-24154 would be catastrophic, allowing the attacker to run arbitrary code in the kernel (highest privilege) or crash the device at will.
Solution
To avoid install malware that runs at the lowest level of the OS (bypassing most security protections), all devices running iOS 18.2 or earlier should be upgraded to iOS 18.3, which introduced proper input validation to the WebContentFilter to prevent memory corruption
AirPlay Remote Code Execution (CVE-2025-24137)
Apple 18.3 also patched CVE-2025-24137, a vulnerability in the AirPlay component that could allow remote code execution over the local network. An attacker on the same Wi-Fi or network segment (adjacent network access) could exploit this. Likely, they would impersonate a trusted AirPlay receiver or broadcast maliciously crafted AirPlay service messages. If the victim’s device processes this malicious AirPlay communication (possibly even just detecting it on the network or the user attempting to connect), the type confusion bug could be triggered. Notably, some user interaction might be required (CVSS vector indicates UI:R) – for example, the user could be prompted to accept an AirPlay connection. A successful exploit gives the attacker the ability to execute arbitrary code on the target iOS device with the privileges of the AirPlay service, installing spyware or performing unauthorized actions on the device remotely, as long as they are within network range.
Solution
Enterprises should be especially wary in office or public Wi-Fi environments. To mitigate risk, keep devices updated (iOS 18.3 or later contains the patch) and consider disabling AirDrop/AirPlay discovery in untrusted networks or using network segmentation to limit exposure.
CoreMedia Zero‑Day (CVE-2025-24085)
CVE-2025-24085 is a use-after-free memory flaw in Apple’s CoreMedia, the framework responsible for media handling (audio/video) on Apple devices. This bug allowed a malicious application to elevate its privileges on the device – essentially escaping normal sandbox restrictions to gain deeper control. Apple confirmed it “may have been actively exploited” in the wild as a zero-day on devices running iOS versions prior to 17.2. To exploit CVE-2025-24085, an attacker would likely trick a user into installing a rogue app (for example, a trojanized app or an enterprise-signed app). It would then grant the app unauthorized privileges, potentially allowing the attacker to take control of the device essentially turns a simple app into a vector for full device compromise, they could install spyware, steal data, or persist on the device.
Solution
This was Apple’s first iOS zero-day of 2025 and affected not just iOS, but other Apple OSes using CoreMedia (macOS, watchOS, tvOS, etc., which were patched in tandem). Users should update to iOS 18.3 (or later) immediately.
USB Restricted Mode Bypass Zero‑Day (CVE-2025-24200)
In early February, Apple rushed out iOS 18.3.1 as an emergency patch to fix CVE-2025-24200, an actively exploited vulnerability. This flaw is an authorization logic issue in the Accessibility framework that allowed an attacker with physical device access to disable USB Restricted Mode on a locked iPhone. This prevents USB accessories from communicating with a device that’s been locked for over an hour. It’s meant to thwart forensic tools like Cellebrite and GrayKey from brute-forcing passcodes or extracting data via the Lightning port. It seems like CVE-2025-24200 was used as part of a highly targeted, “extremely sophisticated” attack scenario. An attacker (likely a state-sponsored actor or law enforcement using a hacking tool) would need physical possession of the iPhone or iPad, breaking out of USB Restricted Mode without knowing the passcode. This could be one step in a larger attack chain – for example, enabling the attacker to install malware or download device data through the USB port while the device remains locked.
Solution
While the CVSS score (6.1 Medium) reflects the need for physical access, the real-world impact is high for targeted individuals – it defeats a core security control meant to protect locked devices. This is more so since it was likely discovered during investigation of spyware incidents. All users should install iOS 18.3.1 (or later) which fixes this flaw. High-risk users might also enable Apple’s Lockdown Mode for additional protection against sophisticated physical attacks.
Kernel Privilege Escalation Vulnerabilities (CVE-2025-24107 & CVE-2025-24159)
Two kernel-level vulnerabilities fixed in iOS 18.3 deserve attention: CVE-2025-24107 and CVE-2025-24159. Both allowed malicious apps to break out of normal sandbox restrictions and gain elevated privileges in the OS kernel. Notably, if an attacker had first exploited a remote code execution (like via a malicious app or AirPlay bug), they could use one of these kernel LPEs as a second stage to achieve full device takeover.
CVE-2025-24107 is described as a permissions issue in the kernel that “may be able to gain root privileges” for a rogue app. The vulnerability was also present on macOS (fixed in 15.3) since Apple’s kernels share code across platforms. CVSS was rated 7.8 (High) given the significant impact of root compromise. CVE-2025-24159 is a kernel logic validation flaw that could lead to arbitrary code execution with kernel privileges. Like CVE-24107, exploitation requires a malicious app or tricking the user into some action (e.g. opening a malformed file), but no special device privileges are needed. This also scored 7.8 (High) as well.
Solution
Both vulnerabilities would let an attacker escape the iOS app sandbox, allowing actions such as reading/writing any file, accessing all device sensors, installing persistent backdoors, or otherwise fully controlling the device’s OS. While there were no reports of these specific kernel bugs being exploited in the wild as of Q1 2025, they represent critical weaknesses. Patching is the only effective solution, since Apple’s security model relies on keeping the kernel secure. Users should avoid sideloading apps from untrusted sources.
Safari Address Bar Spoofing (CVE-2025-24128)
Not all vulnerabilities are about code execution; some target user perception and can facilitate phishing. CVE-2025-24128 is one such bug in Safari (the built-in browser), allowing a malicious website to perform address bar spoofing. In this case, a hacker could craft a webpage that, when viewed, tricks Safari into displaying a fake URL or UI.
The site could, for example, display apple.com in the address bar while actually showing attacker-controlled content (a phishing login form, etc.). This UI deception could lead users to confidently enter credentials or personal data into a fake page. While it itself doesn’t give the attacker device access, it is dangerous in a social context
Solution
Users should always be cautious when entering credentials on mobile browsers – if something seems off (like slight delays or odd behavior of the address bar), it’s worth rechecking the URL or using an official app. Thankfully, updating to iOS 18.3 or later corrects this spoofing bug, and Apple also updated macOS Safari accordingly
By following the above recommendations and maintaining good security hygiene, iOS users and administrators can significantly reduce the risk posed by these vulnerabilities. The flurry of CVEs in early 2025 – from trivial spoofing bugs to serious zero-days – highlights that constant vigilance and prompt updates are essential in the Apple ecosystem.
Security is no easy feat, but it's crucial for maintaining a growth-focus business. That's where Mr.Benny comes in, try for free now!
