⚠ Actively exploited

Added to CISA KEV on 2025-08-21. Federal agencies required to patch by 2025-09-11. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-43300 — Out-of-bounds Write in Apple IOS AND Ipados

CWE-787 — Out-of-bounds Write26 documents11 sources

Severity

10.0CRITICALNVD

EPSS

2.4%

top 14.90%

CISA KEV

KEV

Added 2025-08-21

Due 2025-09-11

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Ipados Apple Macos +4 more

Timeline

PublishedAug 21

KEV addedAug 21

KEV dueSep 11

Latest updateMar 5

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12, iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, macOS Ventura 13.7.8. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages9 packages

▶CVEListV5apple/ipados< 17.7.10

▶NVDapple/ipados16.0 — 16.7.12+3

▶CVEListV5apple/ios_and_ipados< 15.8.5+2

▶CVEListV5apple/macos< 13.7.8+2

▶NVDapple/macos13.0 — 13.7.8+2

🔴Vulnerability Details

GHSA

GHSA-cpwx-wfp4-x368: An out-of-bounds write issue was addressed with improved bounds checking↗2025-08-21

▶

CVEList

CVE-2025-43300: An out-of-bounds write issue was addressed with improved bounds checking↗2025-08-21

▶

VulnCheck

Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability↗2025

▶

📋Vendor Advisories

Apple

CVE-2025-43300: iOS 15.8.5 and iPadOS 15.8.5↗2025-09-15

▶

Apple

CVE-2025-43300: iOS 16.7.12 and iPadOS 16.7.12↗2025-09-15

▶

CISA

Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability↗2025-08-21

▶

Apple

CVE-2025-43300: macOS Sequoia 15.6.1↗2025-08-20

▶

Apple

CVE-2025-43300: macOS Ventura 13.7.8↗2025-08-20

▶

🕵️Threat Intelligence

Mandiant

Look What You Made Us Patch: 2025 Zero-Days in Review↗2026-03-05

▶

Mandiant

Look What You Made Us Patch: 2025 Zero-Days in Review↗2026-03-05

▶

Bleepingcomputer

Apple fixes two zero-day flaws exploited in 'sophisticated' attacks↗2025-12-12

▶

Bleepingcomputer

New LandFall spyware exploited Samsung zero-day via WhatsApp messages↗2025-11-07

▶

Unit42

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices↗2025-11-07

▶