Multiple Apple Products Zero-Day Vulnerabilities

March 20, 2025

Severity

High

Analysis Summary

CVE-2025-24124 CVSS:9.8

Apple has addressed a vulnerability in its operating systems through updates including iPadOS 17.7.4, macOS Ventura 13.7.3, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, and tvOS 18.3. The issue involves potential unexpected app termination during file parsing, which has now been fixed with improved system checks across multiple Apple device platforms.

CVE-2024-54500 CVSS: 5.5

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of Apple macOS. Interaction with the ImageIO framework is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of pixel conversion. Crafted data in a PVR image can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

CVE-2024-54501 CVSS: 5.5

This vulnerability allows remote malicious users to create a denial-of-service condition on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WindowServer component. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

CVE-2024-54497 CVSS: 6.5

Apple macOS Ventura is vulnerable to a denial of service in the QuartzCore component when visiting a specially crafted Web site.

CVE-2025-24123 CVSS:9.8

Apple has addressed a vulnerability that could cause an unexpected application crash when parsing a file. The issue has been resolved in multiple operating system updates, including iPadOS 17.7.4, macOS Ventura 13.7.3, macOS Sonoma 14.7.3, visionOS 2.3, iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, and tvOS 18.3. The update includes improved file parsing checks to prevent potential app termination during file processing.

CVE-2025-24139 CVSS:9.8

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICC profiles. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

CVE-2024-54486 CVSS:6.5

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of Apple macOS. Interaction with the libFontParser library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of glyph mapping. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.

CVE-2024-54499 CVSS:8.1

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of Apple macOS. Interaction with the ImageIO framework is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

CVE-2025-24149 CVSS:5.5

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of Apple SceneKit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rendering of 3D assets. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current user.

Impact