Updated 12:20BST, August 22 with vulnerabilities addition to CISA KEV Catalogue.

Apple has urged users to patch a bug affecting iPhone, iPad and Mac devices after finding it had already been used in “extremely sophisticated” attacks in the wild.

The vulnerability, CVE-2025-43300, allowed memory corruption via a malicious image file and was fixed in an out-of-bounds security update released late Wednesday.

Apple said it “is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The issue has also since been added to CISA's Known Exploited Vulnerabilities Catalogue.

The issue, discovered internally, sits in the Image I/O framework, which allows apps to read and write image files, and was addressed with "improved bounds checking."

See also: Apple offers Linux containers on MacOS to the joy of developers

The bug was found in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2.

Apple was characteristically scant on details of the attack and did not supply information on who might have been involved on the victim or attacking side.

Sylvain Cortes, VP strategy at vulnerability management company Hackuity said: “Previous exploits of this nature have been used to target government officials, journalists, and other high-value individuals.”

All users of the affected devices are advised to update to the latest software urgently, particularly if they operate in a sensitive industry.

A list of zero-days

The update marks the seventh zero-day Apple has addressed in 2025, most recently disclosing that a February update had patched two bugs affecting USB Restricted Mode and Messages.

The former, CVE-2025-24200, allowed an attacker with physical device access to disabled USB Restricted Mode on a locked device.

The latter, CVE-2025-43200, caused a logic issue via a “maliciously crafted photo or video shared via an iCloud Link” and was also used in “an extremely sophisticated attack.”

The link has been copied!