Apple has issued critical software updates to address multiple security vulnerabilities across its device lineup, including a zero-day flaw identified as CVE-2025-24085. This vulnerability, described as a use-after-free bug in the Core Media component, could allow a malicious application already installed on a device to gain elevated privileges. The company confirmed that the issue has been exploited in the wild against older versions of iOS prior to iOS 17.2. The patch mitigates the flaw with improved memory management across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.
The updates also tackle five AirPlay vulnerabilities discovered by Oligo Security researcher Uri Katz. These flaws, under specific conditions, could enable attackers to trigger system crashes, denial-of-service (DoS) attacks, or execute arbitrary code. Additionally, Google’s Threat Analysis Group (TAG) reported three vulnerabilities in the CoreAudio component (CVE-2025-24160, CVE-2025-24161, and CVE-2025-24163), which could cause unexpected app terminations when parsing specially crafted files.
These fixes reinforce Apple’s ongoing efforts to enhance system integrity and user safety.
Apple’s advisory did not detail how CVE-2025-24085 was exploited in real-world attacks or provide information about the attackers or targeted victims. The updates apply to a wide range of devices, including iPhones from the XS onward, iPads starting from the 7th generation, Apple TV models, Apple Watch Series 6 and newer, and Macs running macOS Sequoia. For enhanced user protection, Apple Vision Pro and devices using visionOS 2.3 are also included in the security rollout.
Users are urged to promptly apply these updates to safeguard against potential threats, especially given the active exploitation of CVE-2025-24085. Apple’s proactive fixes demonstrate its commitment to addressing security gaps and mitigating risks. With vulnerabilities potentially enabling privilege escalation, system crashes, or code execution, the updates are vital for ensuring user data and device security.