Apple has released emergency security updates for iOS 18.6.2 and iPadOS 18.6.2 to address a critical zero-day vulnerability, tracked as CVE-2025-43300, in the core Image I/O framework. This flaw, a memory corruption issue caused by an out-of-bounds write, can be triggered by processing a maliciously crafted image file. Apple confirmed that the vulnerability is already being actively exploited in highly targeted attacks, raising the severity of the threat for affected users.

The exploit leverages the ability to write data outside of the intended memory buffer, a classic technique used to achieve arbitrary code execution. This could allow attackers to take complete control of vulnerable devices. The attack pattern resembles previous zero-click exploits such as those used to deliver sophisticated spyware like Pegasus, where simply receiving a malicious image through a messaging app could silently compromise a device without user interaction.

Apple’s advisory emphasized that the exploitation is highly sophisticated and aimed at specific individuals, suggesting the involvement of state-sponsored threat actors. In response, the company has patched the flaw across a wide range of devices, including the iPhone XS and later, iPad Pro (3rd gen and later), iPad Air (3rd gen and later), iPad 7th gen and later, and iPad mini 5th gen and later. The fix strengthens bounds checking within the Image I/O framework, preventing attackers from executing the out-of-bounds write.

The discovery was credited to Apple itself, likely through internal investigations tied to reports of active exploitation. Security experts strongly recommend that all users update their devices immediately via the Software Update function in Settings. The active abuse of CVE-2025-43300 elevates the risk from theoretical to urgent, making timely patching the most critical defense against these ongoing targeted attacks.